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1 Introduction 


This paper describes the Phase 3 effort on the design and verification of the Reliable Com- 
puting Platform (RCP). The paper builds on the Phase 1 and Phase 2 efforts described in 
[1] and [2]. 

The goal of the RCP project is to devise a fault-tolerant computer architecture that 
adheres to a system-design philosophy called “Design For Validation.” The basic tenets of 
this design philosophy are summarized in the following four statements: 

1. A system is designed such that complete and accurate models, which estimate critical 
properties such as reliability and performance, can be constructed. All parameters of 
the model that cannot be deduced from the logical design must be measured. All such 
parameters must be measurable within a feasible amount of time. 

2. The design process makes tradeoffs in favor of designs that minimize the number of 
measurable parameters in order to reduce the validation cost. A design that has excep- 
tional performance properties yet requires the measurement of hundreds of parameters 
(say, by time-consuming fault-injection experiments) would be rejected over a less ca- 
pable system that requires minimal experimentation. 

3. The system is designed and verified using rigorous mathematical techniques, usually 
referred to as a formal verification. It is assumed that the formal verification makes 
the probability of system failure from design faults negligible, so the reliability model 
does not include transitions representing design errors. 

4. The reliability (or performance) model is shown to be accurate with respect to the 
system implementation. This is accomplished analytically not experimentally. 

Thus, a major objective of this approach is to minimize the amount of experimental 
testing required and maximize the ability to reason mathematically about correctness of 
the design. Although testing cannot be eliminated from the design/validation process, the 
primary basis of belief in the dependability of the system must come from analysis rather 
than from testing. 


1.1 Recovery From Transient Faults 

There is a growing concern over the impact of high-intensity radiated fields (HIRF) and 
electromagnetic interference (EMI) on digital electronics. The electromagnetic environment 
is becoming increasingly hostile at the same time electronic device dimensions are being 
reduced — making the devices even more vulnerable to upset phenomena. The use of com- 
posite materials in aircraft will further increase susceptibility. Although an electromagnetic 
event may be of short duration, its effect may be permanent. This could occur as a result of 
permanent physical damage or merely the corruption of a memory state of an otherwise func- 
tional processor. Transient faults are believed to be much more prevalent than permanent 
faults (i.e., typical failure rate 10 times the permanent rate). 
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Several approaches can be used to recover the state of memory in a transiently affected 
digital processor. The simplest technique is to rely on the reading of new inputs to replace 
corrupted memory. Of course, this does not give 100% coverage over the space of potential 
memory upsets, but it is much more effective than one might expect at first glance. Since 
control-law implementations produce outputs as a function of periodic inputs and a rela- 
tively small internal state, a large fraction of the memory upsets can be recovered m this 
manner. This accounts for the fact that although many systems in service are not designed 
to accommodate transient faults, they do exhibit some ability to tolerate such faults. 

Another important technique is the use of a watchdog timer. Since a transient fault can 
(and frequently does) affect the program counter (PC), a processor can end up executing in 
an entirely inappropriate place— even in the data space. If this happens, then the previous 
technique becomes totally inoperative. The only hope in this situation is to recognize that 
the PC is corrupted. A watchdog timer is a countdown register that sets the PC to a 
pre-determined “restart” location if the timer ever counts down all the way to 0. In a 
non-transiently affected processor, the watchdog timer is periodically reset by the operating 

system. 

Once a fault has been detected by a watchdog timer, the entire system may be “rolled- 
back” to a previous state by use of a checkpoint — a previous dump of the dynamic memory 
state to a secondary storage device of some kind. This technique has not been used very 
often in flight control systems because of the unacceptable overhead of this type of operation^ 
A more appropriate technique is the use of majority- voting to replace the internal state of 
a processor. It is important to note that this is done continuously rather than just after 
a transient fault is detected. Of course, majority- voting can be expensive as well if the 
dynamic state is not small. 


1.2 Validation/ Verification of Transient Fault Recovery 

No matter what technique is used its effectiveness must be measured and incorporated in 
the reliability analysis. This, is much more important than one might first suspect. Since 
a transient fault can potentially disable an otherwise good processor, a worst-case analysis 
must increase the processor failure rate to include the transient fault rate. Because this rate 
can be 10 times larger than the nominal permanent fault rate, this can be devastating to the 
reliability analysis, unless a credible estimate of the fraction of transient faults that disable 
a processor can be obtained. In figure 1 the probability of system failure as a function of 
the fraction of recoverable transients (R) is plotted for a 4MR system. The Markov model 
of figure 2 was solved to obtain this plot. The horizontal transitions represent transient 
fault arrivals. The vertical transitions represent permanent fault arrivals. These arrive at 
rate \ T and \ p respectively. The backwards arc represents the removal of the effects of a 
transient fault by the operating system. This is accomplished by voting the internal state. 
State 1 represents the initial fault free state of the system. There are only two transitions 
from state 1 due to the arrival of either a transient or permanent fault. These transitions 
carry the system into states 2 and 4, both of which are not system failure states. All of the 
transitions except one from these states are a result of second failures, which lead to system 
failure states. The transition from state 2 back to state 1 models the transient-recovery 
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Figure 1: Probability of System Failure As a Function of R 

process. The transition from state 2 to state 4 models the situation where a processor that 
is recovering from a transient fault experiences a permanent fault. The effect becomes even 
more dramatic as the number of processors is increased, as shown in figure 3. 

Approaches to the validation of computer systems susceptible to transient faults can be 
categorized into two broad categories: empirical and analytic. Empirical approaches rely on 
measuring the probability of successful recovery (R) and the recovery time (1/p) of the system 
using fault-injection experiments. Analytic approaches seek to establish the transient-fault 
immunity property (i.e. R = 1) of the system and calculate the value of p by mathematical 
analysis. The empirical approach measures the probability of successful transient recovery 
(i.e. R) and the distribution of recovery time using fault-injection experiments. The results 
of the experiment are used to estimate the transient-fault recovery transition in the Markov 
reliability model. The analytic approach relies on analysis to insure that R = 1. In other 
words one must prove that the recovery technique always removes the effects of an arbitrary 
transient within a bounded amount of time. In this approach, one does not rely on detection, 
which is always imperfect anyway. Transient recovery is automatic, via continuous voting 
and rewriting of state with voted values. The analysis must also be able to establish the 
value of the upper bound on the time for transient recovery. In this way one is able to 
calculate the value of p rather than measure it 1 . 

The analytic approach does not completely eliminate the need for measurements. Mea- 

1 To simplify the discussion, the reliability analysis process has been described in terms of a pure Markov 
process. The actual distribution of recovery-time is more likely to be closer to a uniform distribution than an 
exponential and thus a semi-Markov model would be used. The SURE program [3, 4] can be used to analyze 
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Figure 3: Probability of System Failure As a Function of R For a 5MR and 7MR 
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suring (or estimating) the A’s (i.e. failure rates) in the reliability model is still necessary, but 
time-consuming fault-injection experiments are not. Furthermore, the reliability analysis 
does not depend on an empirical model of how a transient fault upsets a processor. 

1.2.1 Advantages of Analytic Approach 

The analytic approach has several clear advantages over the empirical approach. First, 
confidence in the system does not rely primarily on end-to-end testing, which can never 
establish the absence of some rare design flaw (yet more frequent than 10 -9 ) that can crash 
the system. Second, the analytic approach minimizes the need for experimental analysis 
of the effects of EMI or HIRF on a digital processor. The probability of occurrence of a 
transient fault must be experimentally determined, but it is not necessary to obtain detailed 
information about how a transient fault propagates errors in a digital processor. Third, the 
role of experimentation is determined by the assumptions of the mathematical proof. The 
testing of the system can be concentrated at the regions where the design proofs interface 
with the physical implementation. 

1.3 The Synergism Between Formal Verification and Reliability 
Analysis 

The analytic approach described above is in reality a synergism between formal verification 
and reliability analysis. Formal methods prove formulas of the form 

A-PREDICATE D NICE-PROPERTY 

Reliability analysis calculates the probability 

.. Prob[ A-PREDICATE ] 

Also, formal methods offers an approach to overcoming a serious dilemma for the reliabil- 
ity analyst— how can I assure myself that the reliability model itself is a valid representation 
of the implemented system? Although the present work does not establish a formal con- 
nection between the RCP functional specifications and the Markov model, key assumptions 
of the Markov model axe formally verified. In particular, the absence of any direct tran- 
sition from the fault-free state to a death state depends upon the fault-masking property 
established in the RS to US proof. Also the simplification of the reliability model under 
the assumption that R = 1, is justified by the formal verification that 100% of the errors 
produced by a single transient fault are flushed by the system. 

this more general class of reliability model. It requires the mean and standard deviation of the recovery 
time. Under the assumption of a uniform distribution of recovery, these parameters can be derived from the 
upper bound on the time of recovery. 
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1.4 Overview of Previous Work 


A major goal of the RCP project is to develop an operating system that provides the ap- 
plications software developer with a reliable mechanism for dispatching periodic tasks on a 
fault-tolerant computing base, which appears to him as a single ultra-reliable processor. 

The following design decisions have been made toward that end: 

• the system is non- reconfigur able 

• the system is frame-synchronous 

• the scheduling is nominally static, non-preemptive 

• internal voting is used to recover the state of a processor affected by a transient fault 

Although scheduling is typically static, RCP would accommodate an implementation that 
used limited forms of dynamic scheduling, provided all the axioms about task execution 
are satisfied. A hierarchical decomposition of the reliable computing platform is shown in 
figure 4. 



Figure 4: Hierarchical Specification of the Reliable Computing Platform. 

The top level of the hierarchy describes the operating system as a function that sequen- 
tially invokes application tasks. This view of the operating system is called the Uniproces- 
sor System layer (US). It is formalized as a state transition system and forms the basis 
of the specification for the RCP. As in the Phase 1 report [1], this constitutes the top-level 
specification of the functional system behavior defined in terms of an idealized, fault-free 
computation mechanism. The specification is the correctness criterion to be met by all lower 
level designs. The top level of the hierarchy describes the operating system as a function 
that performs an arbitrary, application-specific computation. 
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Level 2 is called the Replicated Synchronous layer (RS). In this level an abstract view 
of the system’s fault-tolerance capability is specified. Fault tolerance is achieved by voting 
results computed by the replicated processors operating on the same inputs. Interactive 
consistency checks on sensor inputs and voting of actuator outputs require synchronization 
of the replicated processors. The RS level describes the operating system as a synchronous 
system, where each replicated processor executes the same application tasks. The existence of 
a global time base, an interactive consistency mechanism, and a reliable voting mechanism 
axe assumed at this level. Processors are replicated and the state machine makes global 
transitions as if all processors were perfectly synchronized. Interprocessor communication is 
hidden and not explicitly modeled at this layer. Suitable mappings are provided to enable 
proofs that the RS layer satisfies the US layer specification. Fault tolerance is achieved using 
exact-match voting on the results computed by the replicated processors operating on the 
same inputs. Exact match voting depends on two additional system activities: (1) single 
source input data must be sent to the redundant sites in a consistent manner to ensure that 
each redundant processor uses exactly the same inputs during its computations, and (2) 
the redundant processing sites must synchronize for the vote. Interactive consistency can 
be achieved on sensor inputs by using Byzantine-resilient algorithms [5], which are probably 
best implemented in custom hardware. To ensure absence of single-point failures, electrically 
isolated processors cannot share a single clock. Thus, a fault-tolerant implementation of 
the uniprocessor model must ultimately be an asynchronous distributed system. However, 
the introduction of a fault-tolerant clock synchronization algorithm, at the DA layer of the 
hierarchy, enables the upper level designs to be performed as if the system were synchronous. 

Level 3 of the hierarchy, the Distributed Synchronous layer (DS), breaks a frame 
into four sequential phases: 

compute | broadcast ^ vote ^ sync ^ 

> 


Activity on the separate processors is still assumed to occur synchronously. Interprocessor 
communication is accomplished using a simple mailbox scheme. Each processor has a mailbox 
with bins to store incoming messages from each of the other processors of the system. It 
also has an outgoing box that is used to broadcast data to all of the other processors in the 
system. The DS machine must be shown to implement the RS machine. 

1. compute 

• frame started by clock interrupt 

• execute all tasks scheduled in current frame 

• multiple frames constitute a cycle 


] 

clock 

interrupt 


> 

) 

clock 

interrupt 
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2. broadcast 

• broadcast outputs of task execution to other processors 

• usually just a subset of the outputs are broadcast 

3. vote 

• vote broadcast data 

• replace memory with voted values 


4. sync 


• execute sync algorithm 

• wait for next clock interrupt 

Each processor in the system executes the same set of application tasks every cycle. A 
cycle consists of the minimum number of frames necessary to define a continuously repeating 
task schedule. Each frame is frame.time units of time long. A frame is further decomposed 
into 4 phases. These are the compute, broadcast, vote and sync phases. During the compute 
phase, all of the applications tasks scheduled for this frame are executed. The results of all 
tasks that are to be voted this frame are then loaded into the outgoing mailbox. During 
the next phase, the broadcast phase, the system waits a sufficient amount of time to allow 
all of the messages to be delivered. As mentioned above, this delay must be greater than 
maxb + 6, where maxb is the maximum communication delay and 8 is the maximum clock 
skew. During the vote phase, each processor retrieves all of the replicated data from every 
other processor and performs a voting operation. Typically, this operation is a majority vote 
on each of the selected state elements. The processor then replaces its local memory with the 
voted values. It is crucial that the vote phase is triggered by an interrupt and all of the vote 
and state-update code be stored in Read-Only Memory (ROM). This will enable the system 
to recover from a transient eyen when the program counter has been affected by a transient 
fault. Furthermore, the use of ROM is necessary to ensure that the code itself is not affected 
by a transient. 2 During the final phase, the sync phase, the clock synchronization algorithm 
is executed. Although conceptually this can be performed in either software or hardware, 
we intend to use a hardware implementation. 

At the fourth level, Distributed Asynchronous layer (DA), the assumptions of the 
synchronous model are discharged. A fault-tolerant clock synchronization algorithm [6] can 
serve as a foundation for the implementation of the replicated system as a collection of 
asynchronously operating processors. Dedicated hardware implementations of the clock syn- 
chronization function are being pursued by other members of the NASA Langley staff [7, 8, 9]. 
Also, this layer relaxes the assumption of synchrony and allows each processor to run on its 

2 In the design specifications, these implementation details are not specified explicitly. However, it is clear 
that to successfully implement the models and prove that the implementation performs as specified, such 
implementation constructs will be needed. 
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own independent clock. Clock time and real time are introduced into the modeling formal- 
ism. The DA machine must be shown to implement the DS machine provided an underlying 
clock synchronization mechanism is in place. 

The basic design strategy is to use a fault-tolerant clock synchronization algorithm as the 
foundation of the operating system. The synchronization algorithm provides a global time 
base for the system. Although the synchronization is not perfect, it is possible to develop 
a reliable communications scheme where the clocks of the system are skewed relative to 
each other, albeit within a strict known upper bound. For all working clocks p and <7, the 
synchronization algorithm provides the following key property: 

\ c p(T) — c q (T)\ < 8 

which asserts that the difference in real time for two clocks reading the same logical time is 
bounded by 8, assuming that there is a sufficient number of nonfaulty clocks. This property 
enables a simple communications protocol to be established whereby the receiver waits until 
maxb + 8 after a pre-determined broadcast time before reading a message, where maxb is 
the maximum communication delay. 

Figure 5 depicts the generic hardware architecture assumed for implementing the repli- 
cated system. Single-source sensor inputs are distributed by special purpose hardware ex- 
ecuting a Byzantine agreement algorithm. Replicated actuator outputs are all delivered in 
parallel to the actuators, where force-sum voting occurs. Interprocessor communication links 
allow replicated processors to exchange and vote on the results of task computations. As 
previously suggested, clock synchronization hardware may be added to the architecture as 
well. 

The basic concept of task execution is illustrated in figure 6. 

Tasks receive inputs from the outputs of other tasks (illustrated by horizontal arrows) 
or from sensors (shown by vertical arrows). The outputs of a task are not available to 
other tasks until after termination of the task. There is therefore no use of an intertask 
communication mechanism such as the Ada rendezvous. 

Task results are assigned to different cells within the state, as illustrated in figure 7. 

The Clock Sync Property layer and Clock Sync Algorithm layer represent the recently 
revised version of the Interactive Convergence clock synchronization theory developed by 
SRI [10]. 

1.5 Availability of Specifications and Proofs 

Both the DA_minv model and the LE model are specified formally and have been verified 
using the EHDM verification system. All specifications and proofs described in this report are 
available electronically via the Internet using anonymous FTP or World Wide Web (WWW) 
access. Anonymous FTP access is available through the host airl6.larc.nasa.gov using 
the path: 
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Figure 5: Generic hardware architecture. 
pub/fm/larc/RCP-specS 

The specification files are provided in two formats: 1) a set of plain ASCII source files 
bundled using the Unix tar utility, and 2) a single file in the “dump” format used by EHDM. 
Each version is compressed using both gzip and Unix compress. The compressed files range 
in size from 100 to 250 kilobytes. 

WWW access to the FTP directory is provided through the NASA Langley Formal 
Methods Program home page: 

http : //shemesh . larc . nasa . gov/f m-top . html 

or the specific page for the Formal Methods FTP directory: 

file : //air!6 . larc . nasa . gov/pub/fm/larc 


2 Formalizing the DA_minv and LE Layers 

The RS model introduced a very abstract view of the execution of application tasks on a 
local processor. The DS and DA models concentrated on the distributed processing issues of 
the design and did not develop the task execution aspects of the system any further. In the 
LE model, a more detailed specification of the activities on a local processor are presented. 
In particular, three areas of activity are elaborated in detail: 
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• task dispatching and execution, 

• minimal voting, and 

• interprocessor communication via mailboxes. 

These are presented in sections 3, 4, and 5, respectively. An intermediate model, DA_minv, 
that simplified the construction of the LE model is used. Some of the refinements occur in 
the DA.minv model and some in the LE model. For example, the concept of minimal voting 
is addressed in considerable detail in the DA_minv model. 

2.1 Overview of Task Execution and Voting 

To understand the DA_minv and LE formalizations, a detailed presentation of the abstract 
model of task execution used in the upper levels is necessary. We begin with a review of this 
model. The abstract model was based upon the following functions: 

succ function [control-state — * control-state] 

fk function[Pstate —* control .state] 

f n fu notion [Estate —* Pstate] 

f t fu notion [Pstate, cell — > cell_state] 

f c function[inputs x Pstate — * Pstate] 

f s function[Pstate — ► MB] 

f v function[Pstate, MBvec — ► Pstate] 

f a function[Pstate — ► outputs] 

recv function[cell, control-state, nat — ► bool] 
dep function[cell, cell, control-state — > bool] 

The meaning of each of these functions is summarized in table 1. These functions define 


SUCC 

returns next control State 

fk 

extracts control state 

fn 

increments the frame counter 

ft 

extracts cell (e.g. task) state 

fc 

executes tasks and updates Pstate 

fs 

selects and copies cells from memory into outgoing mailbox slot 

fv 

votes mailbox values and overwrites cell states 

fa 

denotes the selection of state variable values to be sent to the actuators 

recv 

true iff cell c’s state should have been recovered before the specified frame 

dep 

true iff cell c’s value in the next state depends on cell d’s value in the current state 


Table 1: RS abstract functions 

task scheduling, mailbox usage and voting on a single processor. To maximize generality, a 
minimal set of axiomatic properties of these functions was sought that would enable a proof 
that RS D US. 
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succ_ax : AXIOM A(/„(ps)) = succ(/ fc (ps)) 

control_nc : AXIOM /fc(/ c (u, ps)) = A(ps) 

cells_nc : AXIOM /t(/„(ps),c) = /t(ps,c) 

full-recovery : AXIOM H > recovery .period D rec v(c,K,H) 

initial-recovery : AXIOM recv(c, if, H) D H > 2 

dep.recovery : AXIOM recv(c, succ(Iif), H + 1) A 6ep(c,d,K) D recv(d, K,H) 
components.equal : AXIOM A(X) = A(y) A (V c : f t (X,c) = ft(Y,c)) D X = Y 
control-recovered : AXIOM 

maj-condition(A) A (V p : member(p, A) D w(p) = f s (ps)) 

D fk(fv(Y,w)) = /jfe(ps) 

cell-recovered : AXIOM 
maj.condition(A) 

A (V p : member(p, A) D w(p) = f„(f c (u, ps))) 

A fk{X) = K A A(ps) = K A dep_agree(c, K,X, ps) 

3 ft(fv(fc(u,X),w),c) = ps),c) 

vote_maj : AXIOM 

maj_condition(v4) A (V p member(p, A) 3 w(p) = f a ( ps)) D f v (ps,w) = ps 

In the LE model, interpretations are given for each of the functions listed in table 1 and 
shown to satisfy these axioms. 

The development of the LE model proceeded in two steps. The first step (i.e. DA_minv) 
produced an elaboration of the functions /„, recv, dep, /* and ft- The next step (i.e. LE) 
produced an elaboration of the functions /„, f c and succ. This is illustrated in figure 8. The 
first set of interpretations (in DA.minv) all deal with the voting processes of RCP. In the 
RCP Phase 2 paper [2] three types of voting were discussed — continuous, cyclic and minimal. 
In Appendix B of [2] interpretations of these functions were given for both the continuous 
and cyclic voting methods of voting. The more efficient minimal-voting method has always 
been the method-of-choice for RCP, but the mechanical proofs were incomplete and were 
thus not included in [2]. However, the continuous and cyclic voting proofs were sufficient to 
establish that the abstract axiomatic definitions of the RS level were consistent. 

Details about the completed mechanical verification of the minimal voting approach can 
be found in section 4. There the functions /„, recv and dep are defined in terms of other 
functions that are dependent upon the particular application. 
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Figure 6: Task Execution 


Frame 1 Task 1 ce//[l] 

Task 2 cell\ 2] 

= A(a«[l]) 

Frame 2 Task 3 ce//[3] 

Task 4 ce//[4] 

= f 3 (u,ceU[ 2]); 
= /4(ccZ/[3]) 

Frame 3 Task 5 ce//[5] 

Task 6 ce/l[6] 

= /s(«); 

= / 6 (it,ce//[4]) 

Frame 4 Task 7 ce//[7] 

= / 7 (ce//[5],ce//[6]) 


Figure 7: Assignment of Task Results to Cells 


PA 


DA_minv (interpretations for: fk, ft, fv, recv and dep) 


kg (interpretations for: f n ,f c ,fs and succ) 
Figure 8: Two Step Refinement into LE Model 
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2.2 Specification Method: Ehdm Mappings 

Unlike the higher levels of the hierarchy, the DA_minv and LE models were developed using 
the Ehdm mappings capability. 

2.2.1 Example 

The basic idea of Ehdm mappings is the substitution of an uninterpreted TYPE or function 
with an interpreted one. This is best explained by way of example. Consider 

high : MODULE 
THEORY 

/ : FUNCTION[nat — nat] 
x : VAR nat 
f jx : AXIOM f(x) > 0 

T : TYPE 
t : VAR T 

g : FUNCTION[T — ► nat] 
g_ax : AXIOM g(t) > 0 

END high 

This specification has two uninterpreted functions / and g. Each function is constrained 
by an axiom. Note that both the domain and the body of g are uninterpreted. This specifi- 
cation may then be refined into the more detailed specification below, named low: 

low : MODULE 
THEORY 
x : VAR nat 

F : FUNCTION[nat -► nat] = (Ai: 100) 

TJmp : TYPE = nat 
y : VAR T.imp 

G : FUNCTION[TJmp -► nat] = (A y : y + 1) 

END low 

The function / is refined into F and g is refined into G. The uninterpreted type T is 
replaced with nat. The intended connection between module high and module low must be 
made formal. This is done by the following Ehdm mapping module: 
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toJow : MODULE 


MAPPING high ONTO low 

/- F 
T —> TJmp 
9- G 

END 

A mapping module consists of a list of associations denoted by +. On the left side of 
an an object from the high-level specification is given. The corresponding object in the 
lower level specification is given on the right side of an — ♦, When the mapping module is 
typechecked, Ehdm generates a file containing a list of obligations that must be proved: 

high -toJow : MODULE 
USING low 

EXPORTING ALL WITH low 
THEORY 
x : VAR nat 

f_ax : OBLIGATION F(x) > 0 
t : VAR TJmp 

g jx : OBLIGATION G(t) > 0 
END high-toJow 

In this example, discharging the obligations is simple. 

2.2.2 RCP Specifics 

In figure 9, the main modules associated with the DA.minv and LE models are given. 

The horizontal arrows represent USINGs and the down arrows represent MAPPING 
modules. The modules where the RS-level task-execution functions are mapped into are 
given in table 2. 

The list of all of the non-identical name associations in the mapping modules follows: 


null-memory — ► memO 
cells — *• celLmem 
MB -+ MBbuf 
null-memory — *■ memO 
pred — ► pred.es 
=[cell_state] — ♦ CS.eq 
=[control_state] — ♦ cnst_eq 
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Figure 9: DA to DA_minv to LE Mapping Structure 
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dep 
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Table 2: The modules where the abstract task-execution functions are interpreted. 

2.3 The Model of Processor State 

In RS, DS and DA, Pstate was uninterpreted. The details about how the execution of tasks 
changed the state of a processor were left unspecified. The function w / c ”, which represents 
the change that occurs as a result of executing all of the tasks, was left uninterpreted also. 
The only changes to Pstate that were elaborated in some detail were those associated with 
replacing the local state with voted values. This was accomplished by the function 
The next step in refining the RCP into a detailed design involved the elaboration of the 
uninterpreted functions. This required a more detailed description of Pstate. In this section 
we will describe the elaboration of the processor state Pstate first in the DA_minv level then 
in the LE level. 

At the DA_minv level, Pstate is interpreted as follows: 

Pstate: TYPE = RECORD 

control : control-state, 
memry : memory 
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END 


The state of a processor is partitioned into two components: the control state and the 
memory. The first component represents the state of the machine associated with the oper- 
ating system; the second component represents the rest of the state. However, both fields of 
this record are still uninterpreted types: 

control -state : TYPE 
memory : TYPE 

At this level, it is assumed that the frame counter can be retrieved from the control-state 
field via a function frame, and that the contents of cells can be retrieved from the memry 
field via a function cells and replaced in memory via a function write_cell: 

frame : FUNCTION[control_state -*■ frame.cntr] 

cells : FUNCTION[memory, cell -*• cell-state] 

write-cell : FUNCTION[memory, cell, cell-state — memory] 

The semantics associated with the functions that operate on Pstate are captured in two 
axioms: 

cells-ax : AXIOM cs.length(cells(mem, cc)) = cJength(cc) 
write-cell-ax : AXIOM csJength(cs) = cJength(xx) D 
cells(write_cell(mem, xx, cs), cc) 

= IF cc = xx 
THEN cs 

ELSE cells(mem, cc) END 

Note that the write.celLax only applies when csJength(cs) = cJength(xx). The reason for 
this is that the contents of different cells can be different sizes. This prevents the rewriting 
of a cell with a cell-state that has an inappropriate size. 

At the DA.minv level of specification, the memory of the system is modeled as a collection 
of cells. Thus, equality of memories is defined by the following axiom: 

memory .equal : AXIOM (V c : cells(C, c) = cells(Z?,c)) D C = D 

Note that there is other memory in the system that is not modeled here. Examples of 
such memory include temporary storage and the program code, which is stored in ROM. The 
specifications described in this section are located in module rcp-defsJmp. These details are 
abstracted away in the upper levels through use of the Ehdm equality-mapping capability. 
Equality over cell-states is mapped onto the following function at the LE level: 

csl, cs2, cs3 : VAR cell-state 

CS-eq : FUNCTION[cell-state, cell-state -*• bool] = 

(A csl, cs2 : 

csl.len = cs2.len A (V x : x < csl.len D csl.blk(x) = cs2.blk(x))) 
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Ehdm requires that one demonstrate that this function is an equality relation. The following 
obligations are generated by the Ehdm system: 

cell-state-varl : VAR cell-state 
cell_state_var2 : VAR cell-state 
cell-state_var3 : VAR celljstate 
control-state.varl : VAR control-state 
control_state.var2 : VAR control-state 
control_state_var3 : VAR control-state 
cell_state_reflexive : OBLIGATION 
CS-eq(cell_state_varl, cell-state_varl) 

cell_state-symmetric : OBLIGATION 
CS-eq(cell-state.varl, cell_state_var2) 

D CS_eq(cell-state_var2, cell-state_varl) 

cell-state_transitive : OBLIGATION 
CS_eq(cell_state_varl, cell_state.var2) 

A CS_eq(cell_state_var2, cell_state_var3) 

D CS_eq(cell-state.varl, cell-state_var3) 

control_state_reflexive : OBLIGATION 
cnst_eq(control_state_varl, control-state.varl) 

control_state_symmetric : OBLIGATION 
cnst_eq(control_state_varl, control _state_var2) 

D cnst_eq(control_state_var2, control-state.varl) 

control_state_transitive : OBLIGATION 
cnst_eq(control.state_varl, control_state_var2) 

A cnst_eq(control_state_var2 l control_state.var3) 

D cnst_eq(control_state.varl, control_state_var3) 

as well as some congruence properties not shown here. 

In the LE model, both components of Pstate (i.e., control and memry) are given detailed 
interpretations. These interpretations are described in the next two subsections. 

2.3.1 LE Model of Memory 

In the LE model, the concept of memory is extended significantly beyond that of the upper 
levels of the hierarchy. The type memory is defined as follows: 

address : TYPE FROM nat WITH (A n : n < mem_size) 
memory : TYPE IS FUNCTION[address - wordn] 
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Thus, in the LE model, memory is represented as a bounded array of words. The value of 
mem -size is application or machine dependent. The type of wordn is still uninterpreted at 
this level (cf. leaving the number of bits in the word unspecified.) 

The type cell is the index for components of computation state and the type cell_state 
is the information content of computation state components. At the LE level a cell_state 
becomes a fixed-length block of memory as illustrated in figure 10. 

cell 1 

cell 2 
cell 3 

cell 4 


cells 


cell 6 


Figure 10: Memory Cells: blocks of words 

Formally, a block of memory is represented as 

mem-block-ty : TYPE = 

RECORD 
len : addrJen.ty, 
blk : memoryJy 
END 

The len field indicates the maximum address in the block. All the values of the blk field 
above len are irrelevant. The cell_state type is interpreted as a mem_block_ty: 

cell-state : TYPE IS mem-block-ty 

The uninterpreted function cell-map assigns memory locations to all cells in the system: 
cell-map : FUNCTION[cell — > address.range] 

The following three axioms constrain this function. 

cell_map_length-ax : AXIOM length(cell_map(cc)) < MBmem_size 
cells_for_all_ax : AXIOM (3 cc : address_within(adr,cell_map(cc))) 
cell-separation : AXIOM(ci / C2) D address_disjoint(cell_map(ci),cell-map(c2)) 
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The first axiom requires that the size of every cell is no larger them the size of the mailbox. 
The second axiom states that every memory location is covered by some cell. The third 
axiom says that cells do not overlap in memory; addressjdisjoint is defined as 

address-disjoint : FUNCTION[address_range_ty, address -range.ty — ► bool] = 

(A ar, ar2 : ar.low > ar2.high V ar2.low > ar.high) 

In the upper level models, the function cells was used to extract a cell from memory. This 
function is implemented in the LE model by a function named celLmem as follows: 

celLmem : FUNCTION[memory, cell -*• cell .state] = 

(A mem, cc : 
csO(cc) WITH 

[len := length(cell_map(cc)), blk := mshift(mem,celljnap(cc).low)]) 

mshift : FUNCTION[memory, address -+ memory] = 

(A mem, low : 

(A n : IF n + low < mem-size THEN mem(n + low) ELSE wordO END IF)) 

The mapping produces the following obligation: 

cells-ax : OBLIGATION csJength(cell_mem(mem, cc)) = cJength(cc) 

The functions cJength and csJength are defined as follows: 

e-length : FUNCTION[cell — nat] = (A cc : length(cell.map(cc))) 
cs : VAR cell-state 

csJength : FUNCTION[cell .state -► nat] = (A cs : cs.len) 

The function write.cell is used to replace the contents of a cell in memory with a cell-state. 

write-cell : FUNCTION[memory, cell, cell-state — * memory] = 

(A mem, cc, CS : 

(A adr : 

IF address_within(adr, ceJI_map(cc)) A adr — cell_map(cc).low < CS.Ien 
THEN CS.blk(adr - cell-map(cc).low) 

ELSE mem(adr) END IF)) 

The function write.cell is slightly more general than the axiom at the DA.minv level requires. 
It allows one to update a cell using a cell-state of a different size than the cell being updated. 
Nevertheless, the constraining axiom at the upper level, 

write-cel I _ax : OBLIGATION 
csJength(cs) = cJength(xx) 

D cell_mem(write_cell(mem, xx, cs), cc) 

= IF cc = xx 
THEN cs 

ELSE celLmem(mem, cc) END 

null_memory_ax : OBLIGATION cell_mem(memO, cc) = csO(cc) 

is shown to be satisfied by this implementation. 

The specifications in this subsection are located in the rep jdefs_hw. spec module. 
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2.3.2 LE Model of control-state 


The control state of the processor is defined as follows: 

control-state : TYPE = 

RECORD 

frame : frame_cntr, 
mmu : mmu .state, 
superflag : boolean, 
errorflag : boolean 
END 

The frame field indicates the current frame number, which is incremented by the operating 
system modulo the number of frames per cycle. The mmu field contains the memory man- 
agement registers. The superflag is a boolean flag that indicates whether the processor is 
in supervisor mode. Certain instructions such as loading the memory management registers 
can only be performed while in supervisor mode. Finally the errorflag field indicates whether 
a malfunction has occurred. 

In the upper-levels of RCP, the only component of control-state that is used is frame. The 
other fields of control-state are abstracted away by mapping equality on control-states (i.e. 
=[control_state]) onto a function cnst.eq, defined as follows: 

cnst.eq : FUNCTION[control .state, control-state — ► bool] = 

(A cnl, cn2 : cnl.frame = cn2.frame) 

Thus, equality of control states in the upper levels of the model only constrains the frame 
fields to be equal. 


3 Task Dispatching and Execution 

Tasks are executed during the compute phase of a frame. Different sequences of tasks 
can be executed during different frames. A schedule that consists of a 2-frame cycle (i.e. 
schedule-length = 2) is illustrated in figure 11. The particular cell that stores the results of 
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Figure 11: Structure of frames and subframes 

the execution of a task during a particular frame and subframe is determined by the function 
sched.cell: 
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sched.cell : FUNCTION[frame_cntr, sub-frame -*■ cell] 

This function is uninterpreted in DA.minv and remains so in LE. The number of subframes 
can vary from one frame to another 5 therefore, an additional function is specified that returns 
the number of subframes in a given frame: 

num-subframes : FUNCTION[frame_cntr ->• nat] 

For convenience, the inverse functions are also defined. Given a cell, two functions indi- 
cate the frame and subframe that a particular cell (i.e. task) executes. 

cell-frame : FUNCTION[cell -» frame_cntr] 
cell-subframe : FUNCTION[cell -*■ sub-frame] 

The relationship between these functions is given by an axiom: 

sched-cell-ax : AXIOM 

mm = celLframe(c) A k = cell_subframe(c) 

sched_cell(mm, k) = c A k < num-subframes(mm) 


3.1 DA_minv Refinements 

In the upper four levels, the dispatching and execution of tasks were completely abstract. 
The function f c : 

f c : FUNCTION[inputs, Pstate — Pstate] 

defined the state change on non-faulty processors but was uninterpreted. At the DA_minv 
level, we specify in more detail the steps involved in task execution. The function f c is 
interpreted as follows: 

f c : FUNCTION[inputs, Pstate -*■ Pstate] = 

(A u, ps : 
ps WITH 

[(memry) := exec(it, ps, num-subframes(frame(ps.control))).memry]) 


where 

exec : RECURSIVE FUNCTION[inputs, Pstate, sub-frame — ► Pstate] = 
(A u, ps,fc : 

IF k = OTHEN ps 

ELSEexec_task(u, exec(u, ps,A: - 1 ),k— 1) 

END)BY exec-meas 
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Each call to the uninterpreted function exec.task 

exec.task : FUNCTION[inputs, Pstate, sub-frame — ► Pstate] 

corresponds to the dispatching and execution of a single task. It is constrained by three 
axioms: 

exec.task.ax : AXIOM 

sched_cell(frame(ps.control), g) / c 

D cells(exec_task(u, ps,g).memry,c) = cells(ps.memry,c) 

exec_task_ax_2 : AXIOM 

frame(exec_task(u, ps, g). control) = frame(ps. control) 

celLinput.constraint : AXIOM 
X.control = y.control 
A sched_cell(frame(X.control),g) = c 
A (V d : cell.input(of, c) D cells.match(X,Y, d)) 

D cells_match(exec-task (u,X,q), exec.task (u,Y,q),c) 

The first axiom requires that all of the cells other than the one assigned to the executing 
task remain unchanged. 3 The second axiom states that the execution of a task cannot change 
the current frame number. The third axiom states that the execution of the same task on 
two different Pstates, X and Y, that have equivalent control-states and where all of the inputs 
to the tasks are the same, will produce the same outputs. 

Note that the specification says nothing about the values that are written into the cell 
associated with the task, because it is dependent on the particular workload executing on 
the RCP. Note also that nothing is said about the execution time of the individual tasks. 
The DA specification merely requires that all of the tasks complete within the time allocated 
for the compute phase of the system. 

Figure 12 shows the implementation tree for f c . The arrows represent the “calls” relation. 
The module that a function is defined in is listed in square brackets. Functions that are still 
uninterpreted in the LE module are underlined. The specifications in this subsection are 
located in the gen.com module. 


3.2 LE Refinements 

At the DA_minv level the f c function is defined in terms of a recursive function exec. The 
function exec invokes an uninterpreted function exec.task to execute a task. In the LE model 
exec.task is defined as follows: 

3 In general this would not be the case for a task running on a faulty processor; however, this function is 
only used in the state-transition relations where the condition healthy(p) > 0 is satisfied. 
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Figure 12: Function f c implementation tree 

exec-task : FUNCTION[inputs, Pstate, sub-frame -*• Pstate] = 

(A u , PS,csf : LET tws := t_write_set(u, PS,csf) IN 
LET c := sched_cell((PS.co'ntrol).frame,csf) IN 
LET loaded.PS := load_mmu(set_super(PS),c) IN 
write_em(tws, unset_super(loaded_PS), tws.num) 

WITH [control := PS.control]) 

This function delineates the change to Pstate that accrues as a result of executing a task. A 
task running on a working processor will write its outputs into the appropriate cell locations 
in main memory. The set of memory locations that are altered by an executing task is 
assumed to be finite and is modeled as a bounded list of records of TYPE mup, where 

mup : TYPE = RECORD addr : address, 

val : wordn 

END 

The field addr contains the address and val contains the new value to be written into that 
address. The list is of TYPE muplist, where 

mupseq : TYPE = FUNCTION[nat — ► mup] 

muplist : TYPE = RECORD num : nat,mups : mupseq END 

The function t_write_set returns such a list (i.e. of type muplist) corresponding to the current 
task’s outputs. 
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t_write_set : FUNCTION[inputs, Pstate, sub-frame — ► muplist] 
load-mmu : FUNCTION[Pstate, cell — »• Pstate] = 

(A PS,c: MMU(PS, wordO, cell.map(c).low, cell-map(c).high, true, false)) 

It is expected that the muplist produced by redundant tasks executing on non-faulty proces- 
sors would be identical and would only alter appropriate locations in memory. A recovering 
task may attempt to write into an erroneous location. Consequently, t_write_set is a function 
of the full Pstate and the current inputs and not merely the task name and its inputs. The 
MMU prevents an attempt to write in an inappropriate location from actually occurring. 
The function write.em is called by exec.task to update Pstate in accordance with the values 
in muplist. This takes place after the memory management unit registers have been loaded 
by the function load_mmu. Implicit in this definition is the requirement that the registers are 
loaded correctly even on a recovering processor (i.e. non-faulty but not necessarily contain- 
ing a recovered memory). Clearly this operating system code must not rely on any dynamic 
memory — the cell locations must be hard-coded into ROM. 

The recursive function write_em is called by exec_task to write to memory using the 
MMU. The function write.em updates Pstate with all of the values in the muplist produced 
by t_write_set. 

write-em : RECURSIVE FUNCTION[muplist, Pstate, nat -► Pstate] = 

(A ml, PS, i : 

IF i = 0 THEN PS ELSE 

write_em(ml, MMU(PS, ml.mups(i - l).val, ml.mups(i - l).addr,0, false, true), pred(i)) 
END IF) 

BY we.meas 

The mapping module from DA.minv to LE is of the form: 
cebuf — *■ cebuf 
cnbuf — * cnbuf 
cell-frame — *• cell-frame 
exec_task — ► exec.task 


3.3 Specification of the MMU 

In the LE model a set of outputs associated with a task’s execution is written into specific 
memory locations. The values produced by the task are not specified: only the locations 
of the addresses that are written by a task are considered. As mentioned in the earlier 
RCP papers, a major consideration is the prevention of a working, but not fully recovered, 
processor from writing into a memory region not assigned to it. Thus, in the LE model 
a memory- management unit (MMU) is specified that sits between the processor and the 
memory. 
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In this section, the abstract specification of a MMU is presented. The MMU unit contains 
registers that control which portions of memory can be written into. The registers are of 
type mmujstate. 

address-range : TYPE FROM addrs WITH (A aa : aa.high > aa.low) 
mmu-state : TYPE IS address.range 

The MMU is defined as follows: 

MMU : FUNCTION[Pstate, wordn, address, address, bool, bool — *• Pstate] = 

(A PS, to, a, b , setflag, RWflag : 

IF setflag THEN MMU _set(PS, a, b) ELSE 
IF RWflag THEN MMU_write(PS,to,a) ELSE PS END IF) 

This function calls M MU-set to load the MMU registers and MMU.write to write memory: 

MMU_set : FUNCTION[Pstate, address, address -*• Pstate] - 

(A PS, a, 6 : 

IF (PS.control).superflag THEN 
IF a < b THEN 
PS WITH 

[control := PS.control WITH 

[mmu := mmu-St-0 WITH [low := a, high := 6]]] 

ELSE 

PS WITH [control := PS.control WITH [errorflag := true]] 

END IF 

ELSE PS WITH [control := PS.control WITH [errorflag := true]] 

END IF) 

MMU.write :FUNCTION[Pstate, wordn, address -*■ Pstate] = 

(A PS, to, a : 

IF address_within(a, (PS.control). mmu) 

THEN PS WITH [memry := PS.memry WITH [a:= to]] 

ELSE PS END IF) 

The processor can only load the MMU registers while in supervisor mode. 

3.4 Verifications Associated With / C -Related Refinements 

Since the function exec.task was constrained by three axioms at the DA.minv level, the 
mappings to the LE implementation generated three obligations: 
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exec.task.ax : OBLIGATION 
sched_cell(Frame(ps. control), q) ^ c 

D CS.eq( cell_mem(exec.task(u, ps, g).memry,c),celljnem(ps.memry,c)) 

exec.task.axJ2 : OBLIGATION 
Frame(exec.task(u, ps, g). control) = Frame(ps.control) 

cell-input-constraint : OBLIGATION 
cnst_eq(X. control, y.control) 

A sched_cell(frame(X. control), g) = c 
A (V d : cell _input(d, c) 3 cells_match(X, F, d)) 

3 cells.match(exec_task(u, X, g), exec_task(u, F, g),c) 

Note that the obligations differ from the axioms in the upper level by the replacement of 
the equalities between cel I .states and control-states with their mapped equivalence relations, 
CS.eq and cnst.eq, respectively. 

3.4.1 Proof of exec.taskjx 

The proof of this obligation establishes that any cell c that is not the one associated with 
the currently executing task (i.e. sched_cell(Frame(ps.control),q)), will not be altered by the 
execution of the task. This is verified by proving the following lemma using induction on 
nn. 


Isjet : FUNCTION[inputs, sub-frame, cell, address, muplist, nat — ► bool] 
(A u, csf ,c, adr, tws, nn : 

(V ps : LET cc := sched.cell((ps.control).frame, csf) 

IN 

address.within(adr, ceir.map(c)) 

A nn < tws.num A (ps.control).mmu = celLmap(cc) A cc ^ c 
D write_em(tws, ps, nn).memry(adr) = ps.memry(adr))) 

ls-et_lem : LEMMA ls_et(u, csf,c, adr, tws, nn) 

Proof of Is.et Jem: We first establish a lemma: 

etll : LEMMA 

cc = sched.cell((ps. control) .frame, csf) A (ps.control).mmu = cell.map(cc) 
A address.within(adr, cell_map(c)) A nn < tws.num A cc ^ c 
3 write_em(tws, ps, nn).memry(adr) = 

(IF nn < 0 THEN ps ELSE 

write_em(tws, (LET tmnl := tws.mups(pred(nn)) IN 

IF address_within(tmnl.addr, (ps.control).mmu) THEN 
ps WITHfmemry := ps.memry WITH 
[(tmnl.addr) := tmnl.val]] 
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ELSE ps END IF), 
pred(nn)) 

END IF).memry(adr) 

from the definition of write.em, MMU and M MU-write. The base case of the induction (i.e. 
nn = 0) follows directly from this lemma. The induction step is: 

Is jet Jem _s : LEMMA 

ls_et(u, csf,c, adr, tws, nn) D ls_et(u, csf,c, adr, tws, nn +1) 

The first step is to establish: 
ets2 : LEMMA 

cc = sched_cell((ps.control). frame, csf) 

A (ps.control).mmu = celLmap(cc) 

A nn + 1 < tws.num 
A cc / c 

A address_within(adr, celLmap(c)) 

A ls_et(u, csf,c, adr, tws, nn) 

A address..within(tws.mups(nn).addr, (ps.control).mmu) 

D ps.memry(adr) = 

(ps WITH 

[memry := ps.memry WITH 
[(tws.mups(nn).addr) 

:= tws.mups(nn).\/al]]).memry(adr) 

This is a direct result of the fact that cells do not overlap: 

cell-separation : AXIOM 

(ci ^ c 2 ) D address-disjoint(cell_map(ci), cell_map(c 2 )) 
where 

address-disjoint : FUNCTION[address_range_ty, address.range_ty — ► bool] 

(A ar, ar2 : ar.low > ar2.high V ar2.low > ar.high) 

We next let ps2 represent 

(ps WITH 

[memry := ps.memry WITH 
[(tws.mups(nn).addr) 

:= tws.mups(nn).val]]) 

in lemma ets2 and use Is.et with ps substituted with ps2. This yields ets3: 
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ets3 : LEMMA 

cc = sched_cell((ps.control).frame, csf) A (ps.control).mmu = celLmap(cc) 

A nn + 1 < tws.num A cc ^ c A address.within(adr, celLmap(c)) 

A ls_et(u, csf, c, adr, tws, nn) 

A address_within(tws.mups(nn).addr, (ps.control).mmu) 

A ps2 = 

(ps WITH 

[memry := ps.memry WITH 
[(tws.mups(nn).addr) 

:= tws.mups(nn).val)]) 

D (write_em(tws, ps2, nn)).memry(adr) = ps.memry(adr) 

Then from lemma ets3 and lemma etll with nn + 1 substituted for nn, we have: 
ets6 : LEMMA 

cc = sched.cell((ps.control).frame, csf) 

A (ps. control). mmu = celLmap(cc) 

A nn + 1 < tws.num 
A cc ^ c 

A address_within(adr, celLmap(c)) 

A ls_et(u, csf, c, adr, tws, nn) 

D write.em(tws, ps, nn + l).memry(adr) = ps.memry(adr) 

The induction step follows from ets6 and the definition of ls_et. 

Q.E.D. 


3.4.2 Proof of exec.task.ax-2 

The proof of the exec.task.ax_2 obligation follows directly from the definition of exec-task. 

3.4.3 Proof of celIJnput.constraint 
The proof of celIJnput.constraint: 

celIJnput.constraint : OBLIGATION 
cnst_eq(X. control, y.control) A sched_cell(frame(Jf. control), q) = c 
A (V d : cellJnput(d, c) D cells_match(Jf , T, d)) 

3 cells_match(exec_task(u, X, q), exec.task (u,Y,q),c) 

involves a significant amount of rewriting and the use of the following lemma about the 
function write.em: 
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write_em_prop : LEMMA 
n < tws.num 

D write_em(tws, XX,n).memry(addr) 

= LET im := smallest_adr_n(tws, addr, nn) IN 

IF match _exists_n(tws, addr, n) A address_within(addr, (XX.control).mmu) 

THEN tws.mups(im).val 
ELSE XX.memry(addr) END IF 

The proof of write.em is accomplished by induction on n. This proof is very tedious and will 
not be discussed here; it is fully elaborated in the specifications. 

After rewriting cell-input .constraint with the definitions of cells_match, exec.task, CS.eq 
and cnst_eq, it becomes: 

cic 2 : LEMMA cnst_eq(X.control, F.control) 

A sched.cell(frame(A'.control),q) = c 
A (V d : cell_input(d, c) D cells_match(X,y,d)) 

D CS_eq(celLmem(write.em(t_write-set(u, X, 9), 

unset_super(load_mmu(set_super(X),sched_cell((A.control).frame, 5))), 
t_write_set(u, X , g).num).memry, c), 
celLmem(write.em(t-write-set(u, Y, 9), 

unset_super(load_mmu(set_super(y),sched_cell((y.control).frame, q))), 
t.write_set(u, Y, g).num).memry, c)) 

Rewriting this formula with definitions of celLmem, CS.eq, mshift, used.cells.eq and using 
lemmas CS.eq.need: 

CS_eq_need : LEMMA 
xx < ce!l_rnem(write_em(t-write_set(u, X,q), 

unset.su per(load_mmu(set_super(X),sched_cell((.X\control). frame, 9))), 
t.write _set(u, X , 9).num).memry, c).len 
D xx < cell_map(c).high - cell.map(c).low + 1 
A xx + cell_map(c).low < memjsize 

we have: 

cic 4 D : LEMMA cnst_eq(AT.control,y.control) 

A sched.cell(frame(A'.control),9) = c 

A used.cells_eq( A, Y, c) A n < cJength(c) A n + cell_map(c).low < mem .size 
D write^em(t_write_set(u, X , 9), unset_super(load.mmu(set_super(.Y),c)), 
t_writejet(u, X,9).num).memry(n + cell.map(c).low) 

= write_em(t.write_set(tt, Y, 9), unset.super(load.mmu(set-super(y), c)), 
t_writejet(u,y, 9).num).memry(n + celLmap(c).low) 

Rewriting with cnst_eq and using axiom t_write_set _ax_l and lemma cic4F: 


30 



cic4F : LEMMA 

XX = unset_super(load_mmu(set_super(X),c)) 

D celLmap(c).high = ((XX.control).mmu).high 
A cell_map(c).low = ((XX.control).mmu).low 

we have 

cic4E : LEMMA 
cnst_eq(X. control, y.control) 

A sched_cell(frame(X.control),g) = c 
A used-cells_eq(X, Y, c) 

A tws = t_write_set(u, X,q) 

A n < cJength(c) 

A cell_map(c).high = ((XX.control).mmu).high 
A cell_map(c).low = ((XX.control).mmu).low 
A cell_map(c).high = ((YY.control).mmu).high 
A cell_map(c).low = ((YY.control).mmu).low A n + cell_map(c).low < mem .size 
D write_em(tws, XX, tws.num).memry(n + cell_map(c).low) 

= write_em(tws, YY, tws.num).memry(n + celLmap(c).low) 

This lemma is proved using axiom t_write_set_ax_l again, the definition of cnst_eq and lemma 
cic.Wl twice, i.e., cic.Wl and cic_Wl{XX < — YY, X < — Y}. Lemma cic.Wl is proved using 
the definition of match_exists_n, axiom t_write_set jx_ 2 and a key property about write.em, 
write_em_prop mentioned above. 

Q.E.D. 

4 Minimal Voting 

The DA.minv layer of the RCP architecture is positioned immediately below the DA layer 
in the overall RCP specification hierarchy. DA.minv specifications maintain the same basic 
structure as the DA layer. What is new at this level is a formalization of the minimal voting 
scheme that offers a method of axiomatizing a set of general voting patterns, spanning the full 
spectrum of possible degrees of voting frequency. Although highly frequent voting patterns, 
such as the continuous voting and cyclic voting patterns discussed in our Phase 2 report [2], 
could be expressed as instances of minimal voting, we anticipate that the greatest value from 
this work will result when it is used to achieve minimal voting literally, with a corresponding 
reduction in voting overhead. 

It is worth noting that the DA.minv formalism could have been incorporated into the 
RS layer of RCP. Originally, the voting scheme was intended to be quite arbitrary and 
needed only to satisfy certain constraints. Later we decided to incorporate the minimal 
voting concept as a voting scheme instance, still quite general, that could serve as the basis 
for further refinement. Its appearance at this point in the hierarchy is the result of a choice 
that could have been made differently. Note also that an informal proof the minimal voting 
results were presented in our Phase 1 report [1]. 
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Mappings from the DA layer to the DA.minv layer have been constructed to map the 
module generic.FT onto the module minimaLv. This section presents the minimal voting 
formalization and proofs of the mapping’s obligations. 


4.1 Application Task Requirements 

To formalize the conditions under which the minimal voting scheme achieves transient recov- 
ery, it is necessary to introduce some preliminary definitions about task graphs and execution 
schedules. At the base of this formalization is a set of uninterpreted functions and a set of 
axioms that constrain these functions. Any application to be hosted on an RCP implemen- 
tation must interpret these functions in such a way as to satisfy the axioms. If the axioms 
hold, then the transient recovery properties shown about RCP will hold as well. 

The uninterpreted functions pertaining to application tasks are the following: 

1. cell-frame 

2. cell-subframe 

3. sched.cell 

4. num_subframes 

5. cell-input 

6. v_sched 

Two axioms constrain these functions: 

1. sched-cell_ax 

2. full-recovery .condition 

These functions and axioms are described below. There are several additional axioms 
introduced in the formalization whose purpose is to constrain the implementation of task 
execution in RCP. These additional constraints are shown to hold in the LE layer of RCP. 

4.1.1 Scheduling Concepts 

Four functions are used to describe the position of task cells within an execution schedule. 
The frame and subframe for a particular cell are given by cell-frame and cell_subframe, while 
sched-cell provides the inverse mapping, and num-subframes gives the number of subframes 
contained within a designated frame, because this number may vary from frame to frame. 

cell-frame : FUNCTION[cell — ► frame_cntr] 

cell_subframe : FUNCTION[cell — ► sub-frame] 

sched-cell : FUNCTION[frame_cntr, sub-frame — *■ cell] 

num-subframes : FUNCTION[framejcntr — *• nat] 
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A task schedule can use arbitrary definitions for these functions provided they satisfy a 
well-formedness condition: 

sched.celLax : AXIOM 
mm = cell.frame(c) A k = cell_subframe(c) 

O sched_cell(mm, k) = c A k < num_subframes(mm) 

This axiom expresses the functional inverse relationship and imposes the bound on the 
number of valid subframes for a frame. 

Next, we need to characterize the data flow dependencies of tasks embedded within a 
schedule. The uninterpreted function cell_input(c, d) holds when the output produced by the 
task executing at cell c is used as an input by the task executing at cell d. 

cell-input : FUNCTION[cell, cell -► bool] 

A cell may have inputs from zero or more other cells within the schedule. A cell may have 
an input from itself, in which case the value referenced is from the task’s prior execution, 
i.e., the task’s output from schedule-length frames ago. Clearly, cell-input can be used to 
define a data flow graph G that captures input-output relationships of the application tasks. 
Figure 6 on page 13 shows an example of such a graph. 

Recall that the RCP architecture divides a frame into four sequential phases: compute, 
broadcast, vote, and sync. A consequence of this scheme is that all of the tasks scheduled 
for execution during a frame will execute (and produce their output) before the output of 
any task scheduled for voting is used in a vote operation. A further consequence is that if 
cell c provides its output to cell d, and c is scheduled to execute before d within the same 
frame, and c is voted in this frame, then the value d uses as input is not a recently voted 
value because c’s output is not voted until the vote phase of its frame. This feature of RCP 
was designed to minimize the need for synchronization and make the implementation of 
voting more practical. A drawback, however, is the introduction of a few complications in 
the formalization of the recovery process. 

Thus, we find it necessary to derive a new function based on the cell-input concept. While 
cell-input captures the data flow relation irrespective of frame boundaries within a schedule, 
we need an additional predicate induced by cell-input that indicates when a more specialized 
set of conditions holds. The predicate cell_input_frame(c, d) holds when the value provided 
by c is generated in a different frame from d’s execution frame, and either c’s value flows 
directly to d or flows indirectly to d through computation by cells that precede d in its frame. 
This allows us to express the cell recovery conditions in terms of indirect data flows that 
cross frame boundaries and hence will have been acted upon by vote operations in previous 
frames. In effect, cell_input_frame defines a modified task graph in which the data flows are 
prescribed by this new predicate rather than by cell-input. 

To formalize this notion, we first define the predicate different_frame(c, d), which is true 
when c’s last value was produced in a frame prior to the one in which d would be executing. 
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Figure 13: Task graph induced by cell_input_frame (G*). 

different .frame : FUNCTION[cell, cell — ► bool] = 

(A c,d : 

celLframe(c) ^ cell-frame(d) V cell_subframe(c) > cell-subframe(d)) 

Note that this concept of “different frame” is not the same as having different scheduled 
frames. RCP uses the convention that if c and d are scheduled to execute in the same frame, 
with c having a later subframe than d, a data flow from c to d uses the value from from 
c’s prior execution, i.e., c’s output from schedule Jength frames ago in time. It is this latter 
notion of difference that is captured by different-frame. 

To express celLinput-frame we enlist the help of a recursive function that computes the 
transitive closure of the cell-input relation from the target cell back through the cells of all 
earlier subframes, retaining only those cells that satisfy different-frame. It is this transitive 
closure that captures the indirect data flows. 

celIJnput-Star : RECURSIVE 

FUNCTION [cell, cell, sub-frame — bool] = 

(A c,d,q: 

(different_frame(c, d) A cell_input(c,d)) 

V (3e: 
cell-input(e,d) 

A celLframe(e) = cell-frame(d) 

A cell-subframe(e) < q 
A cellJnput_star(c, e, cell_subframe(e)))) 

BY (A c,d, q : q) 

Evaluating cellJnput_star with a suitable starting value for the recursion is our means of 
defining celLinput-frame, the data flow relation used to characterize the full recovery condi- 
tion. 


cell-input-frame : FUNCTION[cell, cell -* bool] = 
(A c,d: cell_input_star(c,d, cell_subframe(d))) 
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In the following presentation, we refer to the task graph induced by the cell_input_frame 
relation as G*. As an example, refer back to figure 6, where the data flows in this figure 
would be given by an instance of cell-input. The corresponding graph defined by the derived 
predicate celLinput-frame is shown in figure 13. Notice how the only edges in the graph are 
ones that cross frame boundaries. 

The final uninterpreted function needed to characterize an application concerns the 
scheduling of voting. 

v-sched : FUNCTION[frame_cntr, cell bool] 

The predicate v_sched(/r, c) is true when cell c is scheduled to have its value voted at the 
end of frame fr. This allows a (different) subset of the cell values to be voted each frame. It 
is necessary to meet certain conditions in the assignments of a voting schedule to ensure that 
full recovery of the cell states can be achieved in a bounded number of frames. A precise 
statement of these recovery conditions requires the introduction of several new definitions, 
which we choose to express in graph-theoretic terms. 

4.1.2 Task Graph Concepts 

Cell recovery is expressed as a property of the task data flow graph G* augmented with 
schedules for computation and voting. Paths through the graph are the basic unit of expres- 
sion. A path is simply a sequence of cells, which we represent in EHDM as a mapping from 
natural numbers to cells. 

path-type : TYPE = FUNCTION[nat -> cell] 

Although this can be used to represent infinite paths, we will be concerned only with finite 
paths. A path of length L can be represented by the restriction of a path-type mapping to 
its first L elements, that is, mapping from the values 0 to L — 1. Hence, when we need to 
restrict consideration to finite paths, we use a path value and a separate length value to 
denote this restriction. 

For this formal treatment, only paths over G* are of interest. Moreover, we only will have 
occasion to refer to paths that terminate in a particular cell c. An arbitrary path from G* 
ending in cell c is identified by the following predicate. 

input-path : FUNCTION[path_type, nat, cell — ► bool] = 

(A path, len, c : 

(len > 0 D c = path(len — 1)) 

A (V q : 0 < q A q < len D cell_input_frame(path(q - 1), path(g)))) 

The definition also admits zero-length paths, but any path of nonzero length must end in c. 

Several definitions about paths are needed to construct proofs pertaining to cell recovery, 
although they are not needed in the statement of the full recovery condition itself. One such 
definition concerns a more specialized kind of path needed to reason about when the terminal 
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cell c can be assured of having a recovered value under certain conditions. The predicate 
cell_rec_path(pai/i, len, c, fr, H) holds iff a path of length len ending at cell c contains a 
progression of cells that must have been recovered in order for c to be recovered in frame 
fr, assuming the processor has been healthy for H consecutive frames (last transient fault 
disappeared more than H frames earlier). This function is defined recursively by working 
backward through G*, taking into account all cells that contribute directly and indirectly to 
computing the task output at cell c. 

cell_rec_path : RECURSIVE 

FUNCTION[path_type, nat, cell, frame.cntr, nat — ♦ bool] = 

(A path, len,c, fr, H : 

IF H = 0 THEN len = 0 ELSE 
IF v_sched(prev_fr(fr), c) 

THEN len = 0 
ELSE 

IF celLframe(c) = prev_fr(fr) 

THEN 
len > 0 

A path(len - 1) = c 

A 

cell_input_frame(d, c) 

A cell_rec_path(path, len — l,d, prev_fr(fr), if — 1)) 

V ((V e : -> cell.input_frame(e,c)) A len =1)) 

ELSE cell_rec_path(path, len,c, prev.fr(fr), H — 1) END 
END 
END) 

BY (A path, len,c, fr, H : H ) 

For a given cell c, many paths are possible that satisfy cell_rec_path. None, however, may 
contain successive cells d and e where d' s output is voted before it is used by e. Only 
paths that represent chains of data flow through G* unbroken by vote sites are admitted by 
cell_rec_path. Whenever a cell takes multiple inputs, branching exists to create the possibility 
of multiple recovery paths. The cell at the beginning of a recovery path must either have no 
inputs or take all its inputs from cells with voted outputs. In all cases, there must be enough 
time to follow the indicated path, i.e., H must be large enough to allow all the nonfaulty 
frames needed for recovery. 

To illustrate the concept of recovery paths, we refer to figure 13 again. Suppose the 
output of T 2 is voted at the end of frame 1. Then two recovery paths for TV are possible: 

<r 5 ,7Y> and <r 4 ,r 6 ,r 7 >. 

Since multiple recovery paths may emanate backward from a target cell, it is natural to 
consider sets of recovery paths. In our case, it will suffice to define the set of path lengths 
corresponding to all recovery paths for a cell c. We use path_len_set(c, fr, H ) to define the 
set of lengths for all paths needed to recover cell c in frame fr after H healthy frames have 
transpired. 
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pathJen-set : FUNCTION[cell, frame_cntr, nat — ► finite_set[nat]] = 

(A c, fr, H — ► finite_set[nat] : 

(A len : (3 path : cell_rec_path(path, len,c, fr, H)))) 

Finally, we note the definition for a cyclic path, which is simply a path in which a cell 
appears more than once. 

cyclic-path : FUNCTION[path_type, nat — *• bool] = 

(A path, len : duplicates(path, len)) 

4.1.3 Full Recovery Condition 

With the preceding concepts about task graphs in hand, we may now introduce the full 
recovery condition and its supporting definitions. First we define a pair of simple operations 
for doing modular arithmetic on frame counter values. Functions mod.plus and mod.minus 
perform addition and subtraction modulo the constant scheduleJength. 

mod-plus : FUNCTION[frame_cntr, frame_cntr — ► frame_cntr] = 

(A mm, II — * frame_cntr : 

IF mm + II > schedule. length 
THEN mm + II — scheduleJength 
ELSE mm + II END) 

mod_minus : FUNCTION[frame_cntr, frame_cntr — ► framejcntr] = 

(A mm, II —v frame_cntr \ 

IF mm > II THEN mm - II ELSE scheduleJength — II + mm END) 

The function mod.minus is used, in turn, to define the notion of when one frame is 
“between” two others. If we envision the frame counter values 0 to scheduleJength — 1 forming 
a circular progression of values', with 0 following scheduleJength — 1 in “wrap-around” fashion, 
then the values between two points a and b carve out an arc of the circle. Any point within 
that arc will be between a and b. The points in the complementary arc lie between b and a. 
If the distance along the arc from a to a point p is less than the distance from a to b, then 
p lies between a and b. 

between.frames : FUNCTION[frame_cntr, frame_cntr, frame_cntr — ► bool] = 

(A a, fr, b : mod_minus(fr * a ) < mod_minus(b, a)) 

The predicate between.frames is actually a half-open test; fr may equal a but not 6. 

Now it is possible to express when the output of a task at a given cell is voted in a way 
that is useful to the receiving task. Specifically, if the output of cell d is scheduled to be 
voted after it is computed and before it is consumed by cell c, then we know c will be using 
a recovered value for d. 
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output-voted : FUNCTION[cell, cell, frame-cntr — ► bool] = 

(A d, c, fr : 

v_sched(fr, d) 

A 

( between _fra mes( cell _frame(<i), fr, cell_frame(c)) 

V cell.frame(d) = cell_frame(c))) 

This predicate allows for the special case where d and c are scheduled for execution in the 
same frame. Since we are only concerned with paths through G*, where there are no edges 
from one cell to a later one within the same frame, we conclude that it suffices to vote 
d during any frame. This follows because the value for c must come from schedule-length 
frames in the past. 

The main criterion needed to ensure full recovery of all cell states is that for each cyclic 
path in the graph G*, there must exist at least one valid vote site, that is, a pair of adjacent 
cells in the path satisfying the output-voted predicate. The predicate cydes-voted expresses 
this requirement for all paths and all pairs of path indices k and l delimiting a cyclic subpath. 
For each such subpath there must exist an interior cell with its output properly voted. 

cycles_voted : FUNCTION[path.type, nat — ► bool] = 

(A path, len : 

(V*,/: 

k < l A l < len A path(fc) = path(f) 

D (3 q, fr : 

k < q A q < l A output.voted(path($), path(g + 1), fr)))) 

Note that this definition implies that where there are no cyclic paths in G*, there is no need 
for any voting whatsoever. 

Our final statement of the full recovery condition is the following axiom. 

full_recovery_condition : AXIOM 
input.path(path, len,c) D cycles_voted(path, len) 

For all cells c and every path of G* ending at cell c, the cycles on that path must be “voted,” 
that is, contain at least one vote site. 

As an illustration of this condition, consider again the example graph G* depicted in 
figure 13. There is only one cycle in this graph, consisting of the cells for tasks Tjj, T 4 , T 6 , 
and T7. Voting any one of those cells in the frame in which it is scheduled for computation 
will suffice to meet the full recovery condition. Since each one has its output consumed in 
the immediately following frame, it is not possible to vote the cells in any other frames and 
still satisfy output-voted. Notice how it would be useless to vote the output of either T\ or 
Tz since they lie on no cycles in G*, even though they are part of the cycle from the original 
graph G in figure 6. 
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4.1.4 Time to Recovery 

To carry out the proofs for the minimal voting scheme it is necessary to characterize the 
maximum time needed to recover a cell, where time is measured in number of frames. Our 
basic mechanism for doing this is a recursive function that traverses paths through the graph 
G* in reverse order, much the same as was done with the function celLrec-path. Since this 
function must be well-defined even if the full recovery condition fails to hold, we need a 
starting value to supply for the recursive argument H that exceeds the maximum number of 
frames that could possibly be required if full recovery is assured. This allows the recursion 
to terminate even when the fulLrecovery_condition is not met. 

The constant max_rec_frames serves this purpose. Its value was chosen to exceed the 
maximum possible number of frames needed to recover a cell. 

max-rec_frames : nat = schedule-length * (num_cells + 1) + 1 

The rationale for the value chosen is that num.cells is the maximum length of an acyclic 
path through the graph G* and schedule-length is the maximum number of frames that can 
transpire for any edge of the graph. Therefore, their product is the maximum time, in frames, 
of an acyclic path. Add to that another schedule-length frames to account for the maximum 
latency between when a cell is scheduled for execution and an arbitrary frame. The result 
is a conservative upper bound on the time to recover a cell when the full-recovery-condition 

holds. 

The recursive function used to count frames to recovery is called NF_celLrec. Its formal- 
ization is somewhat unusual due to a need to take the maximum over a set of values collected 
from recursive calls of the function. An intermediate function called rec-set is provided to 
aid this process. Note that rec-set is a higher-order function; it takes a functional argument 
of the following type. 

cell-nat.fn : TYPE = FUNCTION[cell -» nat] 

With / a function of this.type, rec_set(/, c) returns a set of nats constructed as follows. 
The value a is a member of the set iff there exists another cell d providing input to c and 
a = f(d). 

rec-set : FUNCTION[cell-nat.fn, cell -»■ finite_set[nat]] = 

(Acnfn,c— ► finite_set[nat] : 

(A a : 

(3 d : celLinput_frame(d, c) A a = cnfn(d)) A a < max-rec.frames)) 

The additional conjunct a < max_rec_frames is used to ensure the resulting set is finite. 
Thus, rec-set yields a method of applying / to all cells that send inputs to c and collecting 
the results of these applications into a set. In practice, the actual argument for / will be a 
A-expression based on recursive calls to N F.celLrec. 

Now NF_cell_rec(c, /r, H) can be defined using the intermediate function rec-set. If c was 
voted in the previous frame, the recovery time is one frame. Otherwise, determine whether 
c was due to execute in the previous frame. If so, return one plus the maximum recovery 
time computed for recursive calls over all input-producing cells d. If c did not execute last 
frame, simply evaluate the function recursively for the same cell c and add one frame. 


39 



NF.cell.rec: RECURSIVE FUNCTION[cell, framejcntr, nat -»• nat] = 

(A c, fr, H : 

IF H = 0 THEN 0 ELSE 
IF v_sched(prev_fr(fr), c) 

THEN 1 
ELSE 

IF cell.frame(c) = prev_fr(fr) 

THEN 

max(rec_set((A d : NF.cell.rec(d, prev_fr(fr), H - l)),c))+ 1 
ELSE NF_cell_rec(c, prev_fr(fr),.ff - 1)+ 1 END 
END 
END) 

BY (A c, fr, H : H) 

This definition assumes that fr is the current frame and we wish to be able to use a recovered 
value for c at the beginning of that frame, hence the use of tests on the previous frame. 

Given this function, what remains is to collect all values together and take their maxi- 
mum. Accordingly, the constant all_rec_set is defined to be the set of all nats that correspond 
to a recovery time for some cell and some frame. Taking the maximum over this set yields 
the greatest time required to recover any cell from any point in the schedule. 

all-rec-set : finite_set[nat] = 

(A a : (3 c, fr : a = NF.cell.rec(c, fr, max_rec_frames))) 
recovery_period : nat = 2 -+■ max(all_rec_set) 

The recovery period is defined to be two frames larger than all.rec.set to account for the one 
frame needed to vote the control state (frame counter) before any recovery actions can be 
relied upon and the off-by-one effect caused by counting the current frame. 


4.2 DA_minv Definitions 

The RS layer of RCP was shown to achieve transient fault recovery by assuming a generic 
set of functions describing recovery concepts and a set of axioms governing task behavior. 
These functions and axioms are found in the EHDM module generic_FT. In the DA.minv layer, 
these functions have been elaborated, although only partially in some cases, and proofs are 
provided for the axioms. The functions in question are f t , /„, recv, and dep. 

To model the selection of a subset of cell states for broadcast and voting, the uninterpreted 
function f, was introduced. Although its full interpretation appears at the LE layer of 
RCP, it is further axiomatized in the DA.minv layer in terms that relate the various state 
components in use at this level. In essence, f s relates the values returned by cebuf, which 
extracts elements from a mailbox, to the current values of corresponding cell states. There 
is also a control state component accessed via cnbuf. While f s remains uninterpreted in 
DA.minv, the following axioms are provided to further its elaboration. 
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fj : FUNCTION[Pstate ->• MB] 

f_s.ax : AXIOM 
IF v_sched(frame(ps. control), cc) 

THEN cebuf(f_s(ps), cc) = cells(ps.memry, cc) 

ELSE cebuf(f_s(ps), cc) = csO(cc) END 

f_s_controLax : AXIOM cnbuf(f_s(ps)) = ps. control 

Only cells scheduled to be voted in the current frame have their cell states mapped into 
the mailbox value produced by f a . Unvoted cells are assigned a default cell state value if 
accessed using cebuf. 

Turning to the voting effects function, f v is likewise uninterpreted in DA.minv and further 
constrained by an axiom. To specify precisely the voted cell states, we provide a support 
function that recursively applies a function to each mailbox slot and cell state, and accumu- 
lates the result. The function celLapply applies its functional argument for each voted cell, 
in order, to the cumulative memory state it computes. 

cell-apply : RECURSIVE 

FUNCTION[celLfn, control .state, memory, nat — ► memory] = 

(A cfn, K,C,k : 

IF k = 0 V k > num.cells THEN C ELSE 
IF v_sched(frame(A'), A: — 1) 

THEN 

write_cell(cell_apply(-cfn, K, C, k- l),k— 1, cfn(fc — 1)) 

ELSE cell_apply(cfn, K, C, k - 1) END 
END) 

BY (A dr\,K,C,k : k) 

Only when a vote is scheduled for a given cell is the cell function applied and the memory 
overwritten. Otherwise, the existing value for that cell state is retained. 

An axiom for f v specifies the proper resulting value for a vote operation. The control 
state portion is voted in every frame. The cell states are selectively voted and overwritten 
according to the process specified in the celLapply function. 

f_v : FUNCTION[Pstate, MBvec -*■ Pstate] 

f_v_ax : AXIOM 
f_v(ps, w) .control = k.maj(u>) 

A f-v(ps, u;) .memry 

= cell_apply((A c : t_maj(u>, c)), ps.control, ps. memry, num.cells) 

If no cells are scheduled for voting in a certain frame, all the cell states will be unchanged 
by /„. However, the control state value will always be voted (and potentially changed). 

For every application-specific transient fault recovery scheme to be used with RCP, we 
must be able to determine when individual state components have been recovered. This 
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condition is expressed in terms of the current control state and the number of nonfaulty 
frames since the last transient fault. The uninterpreted function recv was introduced in 
module generic.FT for this purpose. A recursive definition is now provided. 

The predicate recv(c, K , H) is true iff cell c’s state should have been recovered when in 
control state K with healthy frame count H. We use a healthy count of one to indicate that 
the current frame is nonfaulty, but the previous frame was faulty. This means that H — 1 
healthy frames have occurred prior to the current one. 

recv : RECURSIVE FUNCTION[cell, control -state, nat — ► bool] = 

(A c,K,H : 

IF H < 2 THEN false ELSE 
v_sched(frame(pred(A’)), c) 

V IF celLframe(c) = frame(pred(A)) 

THEN (V d : cell_input-frame(i, c) D rec v(d, pred (K),H - 1)) 

ELSE rec v(c, pred (K),H - 1) END 
END) 

BY (A c,K,H : H ) 

Cell c should be considered recovered if one of three conditions holds: 

1. c was voted in the previous frame. 

2. c was computed in the previous frame and all inputs to c in G* were recovered in that 
frame. 

3. c was not computed in the previous frame and was considered recovered in that frame. 

As before, we test against the previous frame because we would like recv to describe the 
situation at the beginning of the current frame. 

The predicate dep(c, d, K) indicates that cell c’s value in the next state depends on cell 
d' s value in the current state, when in control state K. This notion of dependency is different 
from the notion of computational dependency; it determines which cells need to be recovered 
in the current frame on the recovering processor for cell c’s value to be considered recovered 
at the end of the current frame. 

dep : FUNCTION[cell, cell, control-state — ► bool] = 

(A c,d,K : 

-i v_sched(frame(A), c) 

A IF celLframe(c) = frame(A) 

THEN cellJnput.frame(d, c) 

ELSE c — d END) 

If cell c is voted during K, or its computation takes only sensor inputs, there is no dependency. 
If c is not computed during K , c depends only on its own previous value. Otherwise, c 
depends on one or more cells for its new value, namely, those cells connected by an edge in 
G*. 

Two utility functions are used in the subsequent presentation that we describe here. 
First, cells_match states the simple condition that all cell components of the memories of two 
Pstate values are equal. Second, dep_agree specifies a similar condition, that the subset of 
cells that c depends on all match for two Pstate values. 
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cells_match : FUNCTION[Pstate, Pstate, cell — ♦ bool] = 

(A X, Y, c : cells(X.memry, c) = cells(Y.memry, c)) 

dep.agree : FUNCTION[cell, control-state, Pstate, Pstate — ► bool] = 

(A c,K,X,Y : (V d : dep(c, d, K) D f_t(X,d) = f_t(Y,d))) 

One final axiom we need to describe concerns a constraint on the cell-input function 
and its relationship to the task execution function exec.task. The axiom cell_input_constraint 
requires that for two Pstate values X and Y , and a cell c, the result of executing c against 
both X and Y produces the same cell state provided all cell states used as input by c likewise 
match in X and Y. 

cell-input-constraint : AXIOM 
X.control = Y.control 

A sched_cell(frame(X. control), q) — c 
A (V d : cell_input(d, c) D cells-match(X, Y, d)) 

D cells_match(exec_task(u, X, g), exec.task (u,Y,q),c) 

A similar property based on the derived function cell_input_frame and applicable to the graph 
G* has been asserted as the lemma celLinput.frameJem and proved using the axiom above. 


4.3 DA.minv Proof Obligations 

The proof obligations generated by mapping the DA layer onto the DA.minv layer stem from 
the axioms of the generic.FT 'module. By proving these obligations we establish that the 
minimal voting scheme embodied in the EHDM specifications discussed thus far achieves full 
recovery from transient faults within recovery-period frames. We will present an overview of 
some of these proofs in the following sections. 

recovery.period.ax : OBLIGATION recovery-period > 2 

succ-ax : OBLIGATION f.k(f_n(ps)) = succ(f-k(ps)) 

controLnc : OBLIGATION f.k(f_c(u, ps)) = f.k(ps) 

cells-nc : OBLIGATION f.t(f.n(ps), c) = f-t(ps,c) 

full-recovery : OBLIGATION H > recovery-period D recv(c, K , H ) 

initial-recovery : OBLIGATION recv(c, K, H) D H > 2 

dep.recovery : OBLIGATION 

recv(c, succ(A'), H + 1) A dep(c, d, K) D rec v(d,K,H) 

components.equal : OBLIGATION 

f.k(X) = f-k(Y) A (V c : f.t(X, c) = f.t(Y, c)) D X = Y 
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control-recovered : OBLIGATION 
maj_condition(A) A (V p : member(p, A) D w(p) = f-s(ps)) 

D f-k(f_v(y, w)) = f-k(ps) 

cell-recovered : OBLIGATION 
maj-condition(A) 

A (V p : member(p, A) D w(p) = f_s(f_c(u, ps))) 

A f_k(X) = K A f_k(ps) = K h dep.agr ee(c,K,X, ps) 

D f_t(f_v(f_c(u, X), w) t c) = f_t(f_c(ti, ps),c) 

vote-maj : OBLIGATION 

maj.condition(A) A (V p : member(p, A) D w(p) = f-s(ps)) 

D f-v(ps, w ) = ps 

4.4 Top-Level Ehdm Proof for DA_minv 

We show below the EHDM proof statements for the obligations presented in the previous 
section. Most of the proofs are simple, requiring only the invocation of function definitions 
and a few minor lemmas. Two of the proofs require more substantial effort. The proof of 
cell-recovered is of moderate complexity and requires several lemmas for support. This proof 
will be outlined in the next section. The proof of full-recovery, encapsulated here via the 
lemma fulLrec, is very complex and requires the formulation and proof of a large collection 
of supporting lemmas. This proof will be outlined in the next section as well. 

p_recovery_period_ax : PROVE recovery _period_ax FROM recovery_period_min 

p_succ_ax : PROVE succ_ax FROM f_n 

p_control_nc : PROVE controLnc FROM f_c 

P-cells-nc : PROVE cells.nc FROM f_n 

p_components_equal : PROVE components_equal {c <— c@pl} 

FROM 

memory-equal {C *- X.memry ,D <- y.memry}, 

Pstate.extensionality {Pstate_rl *— X, Pstate_r2 «— y} 

p.fulLrecovery : PROVE full-recovery FROM full_rec 

P-initiaLrecovery : PROVE initial-recovery FROM recv 

P-dep_recovery : PROVE dep.recovery 
FROM recv { K *- succ(fif), H <— H© c+ 1}, dep, pred-succ.ax 

p_control_recovered : PROVE control-recovered {p <— p@pl} 

FROM 

k-maj-ax {K <— ps. control}, f_v-ax {ps <— Y,w *— w}, f_s_control_ax 
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p.cel I -recovered : PROVE cell-recovered {p <— p@pl} 

FROM 

t_maj_ax {cs <— cebuf(f.s(f_c(u, ps)),c)}, 
cell-input-frame Jem {F <— ps}, 
cells.match {y <— ps,c<— d@p2}, 
cells_match {X +— f_c(u, X),Y <— f_c(u, ps)}, 
f_v_components {ps <— f_c(u,X)}, 
dep.agree {y *— ps ,d<— d@p2}, 
dep_agree {y <— p s,d*— c}, 
dep {d <— d@p2}, 
dep {d <— c}, 

f-s_ax {ps <— f_c(u, ps), cc *- c}, 

f_c_uncomputed-cells {X <— ps}, 

f-C-uncomputed.cells, 

f.c {ps <- X}, 

f_c 

p_vote_maj : PROVE vote.maj {p <— p@p4} 

FROM 

components.equal {X *— f.v(ps ,w),y <- ps}, 
k-maj-ax {K <— ps. control}, 

t_maj_ax {cs <— cells(ps.memry, c@pl), c *— c@pl}, 
w_condition, 

w.condition {p *— p@p2}, 
w.condition {p <— p@p3}, 
f_s_ax {cc <— c@pl}, 
f_s_control_ax, 

f_v_components {c «— c@pl} 

4.5 Proof Summaries 

We now focus our attention on summaries of two lines of proof. One is a proof of the 
obligation cell-recovered and the other a proof of the obligation full-recovery. 


4.5.1 Proof of cell-recovered 

The cell-recovered obligation states conditions under which task computation and voting will 
produce correct values for cell states at the end of the current frame, given that appropriate 
cells had correct values at the beginning of the frame. In this case, being recovered means 
that cell states agree with a majority consensus of the processors. 

cell-recovered : OBLIGATION 
maj_condition(A) 

A (V p : member(p, A) D w(p) = f_s(f_c(u, ps))) 

A f.k(X) = K A f-k(ps) = K A dep.agree(c, K, X, ps) 

D f.t(Lv(Lc(u,X), w ), c) = f_t(f.c(u, ps), c) 
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Proving this obligation is a matter of accounting for the effects of the task computation 
function f c and the voting function f v . Applying the definitions of various functions in the 
formula and invoking the following lemma about f v produces two cases to consider based on 
whether c is scheduled for voting in the current frame. 

f.v.components : LEMMA 
f_k(f_v(ps, tu)) = k_maj(u>) 

A f-t(f_v(ps, w), c) 

= IF v_sched(frame(ps.control), c) 

THEN t_maj(u>,c) ELSE cells(ps.memry,c) END 

A second case split is involved based on whether c is scheduled for execution in the current 
frame. If celLframe(c) = frame(JY.control), we apply the following lemma 

celLinput-frameJem : LEMMA 
Y.control = Y.control 
A celLframe(c) = frame( .Y.control) 

A (V d : cell Jnput_frame(d, c) D cells_match(X, Y, d)) 

D cells_match(f_c(u, A), f_c (u, Y),c) 

to deduce when cells should match after computation. If celLframe(c) ^ frame(AT.control), 
we apply a different lemma, 

f_c_uncomputed_cells : LEMMA 
celLframe(c) ^ frame(X.control) 

D cells((f_c(u, A)).memry, c) = cells(.Y.memry,c) 

to deduce that c’s cell state has not changed. 

The proof, including the case splitting mentioned above, is carried out with a single EHDM 
proof directive. Proving the lemmas themselves is straightforward. Only cell_input_frameJem 
requires moderate effort. This lemma is proved by complete induction on subframe number, 
working from c’s subframe back toward the beginning of the frame. Several supporting 
lemmas are used in the proof of celLinput.frameJem. 

4.5.2 Proof of full-recovery 

The property called full-recovery formalizes the essence of RCP’s transient fault recovery 
mechanism. Its proof is the heart of the minimal voting proof. 

full_recovery : OBLIGATION H > recovery-period D rec v(c,K,H) 

This formula states that if given enough time after experiencing a transient fault, eventually 
a processor should recover all elements of its cell state by voting state information it has 
exchanged with other processors. This formula is based on properties of the schedule and task 
graph only; it does not deal with actual state value changes. Other portions of the generic.FT 
obligations, such as cell-recovered, are responsible for those effects. “Enough time” in this 
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case is expressed by the constant recovery-period, which is the maximum number of frames 
required to recover an arbitrary cell from an arbitrary starting point within the schedule. 
Recovery of a cell is formalized through the function recv, which was discussed in section 4.2. 

We begin by giving a very brief proof sketch for the full-recovery property. First note 
that it suffices to show recv(c, K, recovery .period), from which recv(c, K, H ) will follow for 
larger values of H. The constant recovery-period is defined in terms of the maximum 
value of NF_cell_rec(c, /r, max_rec-frames) for any c and fr. NF.celLrec effectively traces 
paths backwards through G* until a vote site or a node with no inputs is reached. The 
fulLrecovery.condition ensures that every cycle of G* is cut by a vote site, thereby forcing 
each path traced by NF.celLrec to be acyclic. The maximum number of frames taken by the 
longest possible acyclic path in G* can be determined and is used to bound the path length 
and hence the value returned by NF.celLrec. This, in turn, ensures that recovery .period is a 
bound on the worst case recovery time. 

Now we turn to a more detailed presentation of the full-recovery proof. A lemma full.rec 
was provided that has the same formula as full-recovery, so our goal is to prove full.rec. 

fulLrec : LEMMA H > recovery .period D recv(c, K, H) 

This lemma is readily proved by induction on H by appealing to the lemma: 

full.rec.rp : LEMMA recv(c, K, recovery .period) 

Thus, once full recovery has been achieved it remains in effect as long as the processor 
remains nonfaulty. 

The proof of full_rec_rp is obtained by invoking the lemma 

NF_cell_rec-recv : LEMMA 

NF.cell.rec(c, frame(A'), k) < H A H<k A k< max_rec_frames 
D recv(c, K, H + 2) 

with substitutions H = max(all_rec_set) and k = max_rec_frames. Noting that recovery .period = 
max(all_rec jet) + 2, we are left to establish: 

NF.cell_rec(c, frame(Ai), max-rec.frames) < max(all.rec_set) A (1) 

max(alLrec-set) < max.rec_frames 

The first conjunct of formula 1 follows by the definition of alLrec-set given in section 4.1.4. 
The second conjunct can be obtained by first noting that for some c' and K\ 

NF.cell _rec(c', frame(A''), max-rec.frames) = max(all-rec_set) (2) 

and then invoking the lemma 

NF.celLrec_bound_2 : LEMMA 
NF_cell_rec(c, fr, max_rec_frames) < max_rec.frames 
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NF_cell_rec_bound_2 


NF-celLrec_bound-l 


max-path _len_bound 



full_recovery .condition 
(axiom) 


path-out puts .not .voted 
(induction) 


celI.recJnput.path 

(induction) 


pigeonhole-duplicates 
(separate proof) 


[minor lemmas] 
Figure 14: Proof tree for NF_cell_rec_bound_2. 


with substitutions c = d and fr = frame(iC). 

At this point, the proof of full.rec has been broken into two main branches based on 
the lemmas NF_cell_rec_recv and NF_cell_rec_bound_2. In the first branch, NF_cell_rec_recv is 
proved by induction on H with the aid of several minor lemmas and the following property 
of NF_cell_rec: 

bound.NF_cell.rec : LEMMA NF_cell_rec(c, fr,17) < H 

This lemma asserts that the count returned by NF.cell.rec may not exceed H because that is 
the point at which the recursion will “bottom out.” If the count equals H , then recovery has 
not been achieved in the number of frames allotted. Conversely, when the count is less than 
H, we know that all the recovery paths have terminated before running out of nonfaulty 
frames. Induction on H is the technique used to prove bound.NF.cell.rec. 

The other main branch of the full.rec proof focuses on establishing the strict inequality 
NF_cell_rec_bound_2. This process requires many steps. Figure 14 shows the overall proof tree 
and the principal lemmas needed to carry out the proof. Several minor lemmas used along 
the way are not shown in the diagram. In addition, some lemmas require proof by induction, 
which we usually factor into several smaller steps by formulating a few intermediate lemmas 
that follow a stylized approach to induction proofs. 
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Since the condition NF_cell_rec(c, fr, H) < H implies that cell c will be recovered within 
H frames, the lemma NF_cell_rec_bound_2 states that all cells will be recovered within time 
max_rec_frames. This is shown by appealing to the lemma NF_cell_rec_bound_l, 

NF_cell_rec_bound-l : LEMMA 
H < max-rec-frames 
D NF_cell.rec(c, fr,JT) 

< max(path_len_set(c, fr, H)) * schedule-length -f schedule-length 

and the lemma max_path Jen_bound, 

max_path Jen.bound : LEMMA max(path_len_set(c, fr, H)) < num_cells 

with the substitution H — max_rec_frames. Recalling the value of constant max_rec_frames 
as schedule-length * (num_cells + 1) + 1, it follows from the two bounds that 

NF_cell_rec(c, fr, max_rec_frames) < max_rec_frames (3) 

and this completes the proof of l\IF_cell_rec_bound_2. 

The proof of NF_cell_rec-bound-l is a straightforward application of induction with the 
help of several low-level lemmas. Since the proof involves a fair amount of arithmetic rea- 
soning, a few lemmas were formulated to deal with the presence of the multiplication op- 
erator. This helped overcome the limitations of the Ehdm decision procedures. On the 
right-hand side of figure 14, the lemma max_path_len_bound follows directly from the defini- 
tion of path_len_set and another bounding lemma: 

pathJen-bound : LEMMA 
cell_rec_path(path, len,c, fr, H) D len < num-cells 

Now we have reduced the. overall proof to establishing that a recovery path is no longer 
than the number of cells in a schedule. This can be deduced easily from the acyclic property 
of recovery paths, 

cell_rec-path_acyclic : LEMMA 
celLrec_path(path, len,c, fr, H) D -i cyclic_path(path, len) 

and the contrapositive of the following sufficient condition for the presence of a cyclic path: 

long-path-cyclic : LEMMA len > num_cells D cyclic.path(path, len) 

Thus, we once again have a two-way branch in our main proof. The acyclic property of 
recovery paths, cell_rec_path_acyclic, is proved by first applying a lemma about path types, 

cell-recJnput-path : LEMMA 
celLrec_path(path, len,c, fr, H) D input_path(path, len,c) 
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to deduce: 


cell_rec.path(path, len,c, f r,H) A input.path(path, len,c) (4) 

D -i cyclic_path(path, len) 

Now invoking the full_recovery_condition from section 4.1.3 leaves us with: 

cell_rec_path(path, len,c, fr, H) A cydes_voted(path, len) (5) 

D -i cyclic_path(path, len) 

Another forward chaining step using the following absence of voting property for recovery 
paths, 

path_outputs_not_voted : LEMMA 
cell_rec_path(path, len,c, fr, H) 

3 (V q, ff: 

0 < 9 A <7 < len D -i output_voted(path (<7 - 1), path (q), ff)) 
results in the formula: 

cell_rec_path(path, len,c, fr, H) A cydes_voted(path, len) A (6) 

(V?, ff: 

0 < g A ? < len D -> output.voted(path(g - 1), path(g), ff)) 

D -i cydic_path(path, len) 

Formula 6 now follows from the' definitions involved because if none of the outputs along the 
path is voted, and all cyclic paths must have voted outputs, then the path cannot be cyclic. 
This completes the proof of cell_rec_path_acydic. 

Finally, the remaining branch of the main proof is concerned with showing that the 
sufficient condition for cyclic .paths, long.path.cyclic, is true. Intuitively, it seems that if a 
path is longer than the number of distinct cells, duplicates must exist. Nevertheless, the 
formal proof of such a statement involves a moderate amount of effort to carry out. In our 
case, the bulk of the work has been encapsulated in the form of a general theory for the 
Pigeonhole Principle, described in more detail in the next section. This principle states that 
if we have n objects drawn from a set having k distinct elements, where n > k, then there 
must exist duplicates among the n objects. Proving long-path .cyclic is now a simple matter 
of applying this principle, 

pigeonhole-duplicates : LEMMA 
len >q A bounded_elements(nlist, len, q) 3 duplicates(nlist, len) 

with substitutions nlist = path, len = len, and q = num.cells. Employing the definition 
of bounded-elements (presented in section 4.6) and the definition of cyclic.path (presented in 
section 4.1.2) completes the proof of long-path .cyclic. 

We have described the overall proof of the full-recovery obligation in moderate detail. 
Complete details are found in the EHDM modules for the DA.minv layer. 
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4.6 Pigeonhole Principle 

The proof of full-recovery relies on a formal statement of the pigeonhole principle. We present 
below an excerpt from the Ehdm module nat.pigeonholes that captures the essential parts 
of this formalization. This module expresses its properties in terms of a finite list of natural 
numbers. Arguments to the functions take the form of a nat.list, which is a mapping from 
nats to nats, and a length. 

A function duplicates expresses the condition of a natJist having at least one duplicate 
element. The predicate bounded-elements allows one to state that all elements of the list are 
less than some bounding number. 

duplicates : FUNCTION[nat_list, nat -+ bool] = 

(A nlist, len : (3 k,l : k < l A / < len A nlist(fc) = nlist(/))) 

bounded-elements : FUNCTION[nat_list, nat, nat — ► bool] = 

(A nlist, len, Imax : (V q : q < len D nlist(g) < Imax)) 

The number of occurrences of a particular number in a list is counted by the function 
occurrences. The predicate bounded-occurrences states the condition that the occurrence 
count for each possible value in a list is no greater than a specified bound. 

occurrences : RECURSIVE FUNCTION[natJist, nat, nat -»• nat] = 

(A nlist, len, a : 

IF len = 0 
THEN 0 

ELSIF a = nlist(len - 1) THEN occurrences(nlist, len — l,a) + 1 
ELSE occurrences(nlist, len — l,a) END) 

BY (A nlist, len, a : len) 

bounded_occurrences : FDNCTION[nat_list, nat, nat — ► bool] = 

(A nlist, len, 6 : (V a : occurrences(nlist, len, a) < 6)) 

Three lemmas involving these functions are shown below. The first version of the pigeon- 
hole principle is expressed in terms of simple duplicates, i.e., the occurrence bound is one. 
This is the version used in the proof of the full-recovery obligation. A generalized version of 
the principle is provided as well. 

pigeonhole-duplicates : LEMMA 

len >q A bounded-elements(nlist, len,g) D duplicates (nlist , len) 

pigeonhole-general : LEMMA 
len >k*q A bounded_elements(nlist, len, q) 

D -i bounded_occurrences(nlist, len,fc) 

dup-bnd_occ : LEMMA 

duplicates(nlist, len) o -> bounded.occurrences(nlist, len,l) 
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4.7 Primary Lemmas 

The primary lemmas used to prove the DA_minv obligations are collected and displayed 
below. There are a number of other lemmas used in the proofs not shown here, but these are 
lower-level lemmas or formulas introduced merely to break up induction proofs into several 
manageable cases. All those lemmas cited in the foregoing presentation are included in this 
section. All lemmas shown have been proved within EHDM. 

cell-apply.element : LEMMA 
cells(cell_apply(cfn, K, C, num_cells), c) 

= IF v_sched(frame(A'),c) 

THEN cfn(c) ELSE cells(C,c) END 

f_v.com ponents : LEMMA 
f_k(f_v(ps, u>)) = k_maj(w) 

A f.t(f_v(ps, w),c) 

= IF v_sched(frame(ps.control),c) 

THEN t_maj(u;, c) ELSE cells(ps.memry, c) END 

f_c_uncomputed_cells : LEMMA 
celLframe(c) ^ frame(A.control) 

D cells((f_c(u, A)).memry, c) = cells(A.memry,c) 

exec_element_2 : LEMMA LET K := ps.control, k := cell-subframe(c) 

IN 

q < num_subframes(frame(A')) 

D cells(exec(u, ps,?).memry, c) 

= IF k < q A cell_frame(c) = framed) 

THEN cells(exec_task(u, exec(u, ps, k), A:).memry, c) 

ELSE cells(ps.memry, c) END 

celIJnput.frameJem : LEMMA 
^.control = y.control 
A cell.frame(c) = frame(A.control) 

A (V d : cellJnput_frame(d, c) D cells_match(X, Y,d)) 

D cells_match(f_c(u, X), f.c (u,Y),c) 

NF_cell_rec_equiv : LEMMA 
-i v_sched(prev_fr(fr), c) A cell.frame(c) = prev_fr(fr) 

D NF_cell_rec(c, fr, * + l) 

= 1 + max(NF_rec_set(NF_cell_rec,c, prev.fr(fr), k)) 

full-rec : LEMMA H > recovery .period D recv(c, K, H ) 
full.jec.rp : LEMMA recv(c, K, recovery-period) 
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bound.NF_cell.rec : LEMMA NF_cell_rec(c, fr,#) < H 

bound.celLrec_path : LEMMA cell_rec_path(path, len,c, fr, H) D len < H 

NF_cell_rec_nonzero : LEMMA k > 0 D NF.cell_rec(c, fr, k) > 0 

NF_rec_set_nonempty : LEMMA 
cell _input_frame(d, c) A k < max_rec.frames 
D -i empty(NF_rec.set(NF.celLrec,c, fr, Ac)) 

NF_celLrec_recv : LEMMA 

NF.cell.rec(c, irame(K),k) < H A H<k A k< max_rec_frames 
D recv(c, .ft", H + 2) 

long_path-cydic : LEMMA len > num.cells D cyclic_path(path, len) 

celLrec.input.path : LEMMA 
cell_rec_path(path, len,c, fr, H) D input_path(path, len,c) 

cell_rec_path_acyclic : LEMMA 
cell_rec_path(path, len,c, f r,H) D cyclic_path(path, len) 

NF_cell_rec_bound_l : LEMMA 
If < max_rec_frames 
D NF_celLrec(c, fr, If) 

< max(path.len_set(c, fr, If)) * schedule-length + schedule-length 

NF_cell_rec_bound_2 : LEMMA 
NF_celLrec(c, fr, maxj-ec.frames) < max_rec.frames 

path Jen_bound : LEMMA 
cell_rec.path(path, len,c, fr,if) D len < num.cells 

cell .rec.path .exists : LEMMA 
(3 path, len : cell.rec_path(path, len,c, fr, If)) 

max_pathJen-bound : LEMMA max(path_len_set(c, fr, If)) < num_cells 

path.outputs.not.voted : LEMMA 
cell.rec_path(path, len,c, fr ,H) 

D (V q, fF: 

0 < q A g<len D -« output.voted(path(g - 1), path(g), fF)) 

path_cells.not_voted : LEMMA 
len >0 A cell_rec_path(path, len,c, fr, H) 

D (V ff ; 

(between_frames(cell_frame(c), fF, fr) V fr = celLframe(c)) 

D -i v_sched(ff, c)) 
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last_cell_not_voted : LEMMA 
len > 1 A cell_rec_path(path, len,c, fr, H) 

D (V ff : -i output.voted(path(len — 2), path(len — 1), fF)) 

last-cell-condition : LEMMA 
len > 0 A celLrec_path(path, len,c, fr, H) 

D c = path(len - 1) A ((3 d : cell_input.frame(d,c)) V len =1) 

next.celLcondition : LEMMA 
cell_rec_path(path, len,c, fr, ff) 

D (V e : celLrec_path(path WITH [(len):= e], len,c, fr, #)) 

input.path.zero : LEMMA input_path(path,0,c) 
input.path.one : LEMMA c = path(O) D input_path(path, l,c) 
input-path .ext : LEMMA 

input.path(path, len,d) A cell _input_frame(d, c) A c = path (len) 

D input.path(path, len +l,c) 

5 Interprocessor Mailbox System 

The functionality of the interprocessor mailbox system was first elaborated in the DS level. 
The basic idea is illustrated in figure 15. In a four processor system, for example, there 



P4 


Figure 15: Structure of Mailboxes in a four-processor system 

are three incoming slots and one outgoing slot each of type MB. The collection is of type 

MBvec. 
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MB : TYPE 

MBvec : TYPE = ARRAY[processors — ► MB] 

Each of these slots contain some subset of the cells of memory (i.e. since only a small portion 
of memory is exchanged and voted during each frame). Two uninterpreted functions, cebuf, 
cnbuf are defined at the DA.minv level to return the “control state” and the contents of the 
mailbox slot (i.e. MB) associated with a specific cell: 

cebuf : FUNCTION[MB, cell — cell-state] 
cnbuf : FUNCTION[MB -*• control .state] 

These functions are not implemented at the DA_minv level but are constrained by the 
following three axioms: 

cebuf-ax : AXIOM cs.length(cebuf(mb, cc)) = cJength(cc) 

f_s.ax : AXIOM 
IF v_sched(frame(ps.control), cc) 

THEN cebuf(/ 3 (ps), cc) = cells(ps.memry, cc) 

ELSE cebuf(/ 3 (ps), cc) = csO(cc) END 

f_s_controLax : AXIOM cnbuf (/*(ps)) = ps. control 

The function f 3 is used by the state-transition relation to transfer data from main memory 
to the outgoing mailbox slot. This function f a is defined as 

/, : FUNCTION[Pstate -*• MB] 

and is uninterpreted at the DA.minv level. It is refined in the LE level in terms of four 
functions as shown in figure 16. The implementation of f t is described in the next subsection. 



Figure 16: Function f. Implementation Tree 
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5.1 LE Mailbox 


The two upper-level functions, cebuf, cnbuf that return the “control state” and the contents 
of the mailbox slot (i.e. MB of type MBbuf) associated with a specific cell are mapped onto 
functions cebuf and cnbuf in the LE Model. These functions, and the type MBbuf are defined 
as follows: 

MBbuf : TYPE = RECORD cntrl : control-state, mem : MBmemory END 

cebuf : FUNCTION[MBbuf, cell -*• cell-state] = 

(A MB,cc : LET fr := (MB.cntrl).frame IN 
IF v_sched(fr, cc) THEN MBcell(MB.mem,cc,fr) ELSE csO(cc) END) 

cnbuf : FUNCTION[MBbuf -*■ control-state] = (A MB : MB.cntrl) 

The function cebuf simply copies the contents of a particular cell in a mailbox slot to a 
cell-state buffer. This is specified using a higher-order shift function MBshift: 

MBshift : FUNCTION[MBmemory, MBaddress -*■ memory] = 

(A MBmem, Low : 

(A nn : IF nn + Low < MBmem_size 
THEN MBmem(nn -I- Low) 

ELSE wordO END IF)) 

MBcell : FUNCTIONfMBrViemory, cell,frame_cntr — ► cell-state] = 

(A MBmem, cc,fr : 
csO(cc) WITH 
[len := length(MBmap(cc,fr)), 
blk := MBshift( MBmem, MBmap(cc,fr).low)]) 

The location of cells in the mailbox is determined by the function MB_map: 

MBmap : FUNCTION[cell,framejcntr -+ M Baddress_range] 

The function f a is used by the state-transition relation to transfer data from main memory 
to the outgoing mailbox slot. This function f s is defined as follows: 

f_s : FUNCTION[Pstate ->• MBbuf] = 

(A PS : MBbuf.0 WITH [cntrl := PS.control, 

mem := f_s_mem(PS)]) 


where 



f_s_mem : FUNCTIONfPstate — > MBmemory] = 

(A PS : LET fr := (PS. control). fra me IN 
(A adr : IF (cell_of_MB(adr,fr) < no.cell) THEN 
IF v_sched(fr, cell_of_MB(adr,fr)) THEN 

PS.memry(cell_map(celLof_MB(adr,fr)).low + adr — MBmap(cell_of.MB(adr, fr),fr).low) 
ELSE wordO 
END IF 
ELSE wordO 
END IF)) 

The function cell.of.MB returns the cell in which a given address is contained. This function 
is defined axiomatically using address.within: 

celLof-MB-ax : AXIOM 

IF v.sched(fr, cc) A address.within(adr, MBmap(cc,fi')) 

THEN cell_of.MB(adr,fr) = cc 
ELSE 

cell_of_MB(adr,fr) = no.cell END 

celLof_MB_ax_2 : AXIOM 
cell_of_MB(adr,fr) = cc A cc < no.cell 

D v_sched(fr, cc) A address.within(adr, MBmap(cc,fr)) 

The following lemma is easier to use and understand than the definition of the function 


f_s_lem : LEMMA 

offset < length(cell_map(cc)) - 1 A v_sched((PS.control).frame, cc) 

D f _s(PS).mem(MBmap(cc, (PS.control).frame).low + ofFset) 

= PS.memry(cell_map(cc).low + offset) 

This lemma shows the results of copying a cell from main memory to the mailbox with 
f a , and is illustrated in figure 17. 

5.2 Verifications Associated With / S -Related Refinements 

The key properties of f a were specified axiomatically in the DA_minv level specification by 
two axioms. These become proof obligations in the LE level: 

f_s_ax : OBLIGATION 
IF v_sched(Frame(ps. control), cc) 

THEN cebuf(f.s(ps), cc) = cell_mem(ps.memry, cc) 

ELSE cebuf(f.s(ps), cc) = csO(cc) 

END 

f_s.control.ax : OBLIGATION cnbuf(f_s(ps)) = ps. control 
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Figure 17: The result of copying a cell from main memory to the mailbox using f, 

5.2.1 Proof of f_s_control_ax 

This result follows trivially from the definition of f a . 

5.2.2 Proof of f_s_ax 

The first step is to establish: 

LEM1 : LEMMA 

v_sched(frame(ps. control), cc) A x < length(cell_map(cc)) — 1 
D cebuf(f_s(ps), cc).blk(a:) 

= f -s(ps).mem(MBmap(cc, (ps.control).frame).low + x) 

This follows from the definition of cebuf, MBcell, MBshift and four axioms: MB_size_az, 
map.ax, MBmap_high_ax and f_s_control_ax. The next step is to prove LEM2: 
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LEM2 : LEMMA 
x < length(cell.map(cc)) — 1 

D cell_mem(ps.memry, cc).blk(a:) = ps.memry(x + celLmap(cc).low) 

from the definitions of celLmem and mshift and axioms MB_size_az and cell_map_high_ax. 
Using a key lemma about / s , f_s_lem and LEM1 and LEM2 with x substituted by xx, we 
have: 

LEM3 : LEMMA 

v_sched(frame(ps. control), cc) A xx < length(cell_map(cc)) — 1 
D cebuf(f-s(ps), cc).blk(xx) = celLmem(ps.memry, cc).blk(xx) 

Two more simple lemmas are easily established from the definitions cebuf and MBcell and 
axioms f_s_controLax and map_ax: 

LEM4 : LEMMA 

-i v_sched(frame(ps. control), cc) D cebuf(f_s(ps), cc) = csQ(cc) 

LEM5 : LEMMA 
v_sched(frame(ps. control), cc) 

D cebuf(f_s(ps), cc).len = length(cell.map(cc)) 


The last required lemma is LEM6: 

LEM6 : LEMMA 
IF v_sched(frame(ps. control), cc) 

THEN cebuf(f_s(ps), cc).len = celLmem(ps.memry, cc).len 
ELSE cebuf(f_s(ps), cc).len = csO(cc).len 

The obligation f_s_ax follows from LEM3, LEM4, LEM5 and LEM6 using the cell_state exten- 
sionality axiom CS_extensionality. 


6 Implementation of /*, f t and Other Functions 

At the DA.minv level the /*, f t and f n functions are fully interpreted: 

fk : FUNCTION[Pstate —> control-state] = (A ps : ps.control) 

ft : FUNCTION [Pstate, cell -► cell-state] = 

(A ps,c : cells(ps.memry, c)) 

/„ : FUNCTION [Pstate -+ Pstate] = 

(A ps : ps WITH [(control) := succ(ps.control)]) 


59 



The function fk extracts the control state from Pstate. The function f t is implemented via 
the cells function and the function f n increments the frame counter. 

The succ function is defined axiomatically as follows: 

succ : FUNCTION [control-state — ► control-state] 
succ.cntr.ax : AXIOM frame(succ(J l iL')) = next_fr(frame(ir)) 

The function f a is still uninterpreted at the LE level: 

f a : FUNCTION[Pstate — ♦ outputs] 

In the upper levels of the hierarchy as well as in the LE model details of the I/O interface 
have not been elaborated. The inputs and outputs of the system are uninterpreted domains: 

inputs : TYPE 
outputs : TYPE 

7 A Simple Model to Demonstrate Consistency of the 
Axioms 

To demonstrate that the axioms introduced in the LE level are consistent, we created a 
version of this level in which 'the important constants and functions left undefined in the 
original LE model were given values. Figure 18 shows the memory configuration and the 
task schedule chosen for the simple model. 

Table 3 shows the values given to the previously unspecified constants in order to realize 
the desired configuration and. structure. Although the values assigned are not realistic (for 
example, mem-size = 2), they suffice for demonstrating consistency of the axioms. 


Module 

Constant 

Value 

rcp.defsJ 

nrep 

6 

rcp.defs J2 

schedule Jength 

2 


num_cells 

2 

memory jdefs 

mem-size 

2 

MBmemoryjdefs 

MBmem-size 

1 


Table 3: Values Assigned to Constants 
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frame 0 



Cell 0 


Cell 1 


memory 


0 


cell 0 


frame 1 


I Cell 1 

MBmemory 


Cell 0 

Cell 1 

0 

0 

frame 0 

frame 1 


Task Schedule 

Figure 18 : Memory and Task Schedule Layout 

7.1 Function Definitions 

In addition to giving values to the above mentioned constants, we also gave definitions to 
important functions. In module rcp_defs_hw.spec, the following definition for celLmap was 
given: 

cell-map : FUNCTION[cell — *■ address_range] = (A cc : 

IF (cc =0) 

THEN (REC low := 0, high := 0) : address.range 
ELSE (REC low := 1, high := 1) : address-range 
END IF) 


In mailbox.hw, MBmap was defined as follows: 

MBmap : FUNCTION[cell, frame_cntr — ► MBaddress_range] = (A cc, fr : 
(REC low := 0, high := 0) : MBaddress_range) 


The following definitions were given in cell-funs: 

cell-frame : FUNCTION[cell — * frame_cntr] = (A c : 

IF (c = 0) THEN 0 : frame_cntr ELSE 1 : frame_cntr END IF) 
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cell-subframe : FUNCTION[cell — ► sub-frame] = (A c : 0 : sub-frame) 

sched-cell : FUNCTION[frame_cntr, sub-frame — * cell] = (A fr, sf : 
IF (fr = 0) THEN 0 : cell ELSE 1 : cell END IF) 

num-subframes : FUNCTION[framejcntr -+ nat] = (A fr : 1) 


CelLof-MB was defined as follows in minimaLhw.spec: 

celLof-MB : FUNCTION[M Baddress, frame.cntr — nat] = (A adr, fr : 
IF (adr = 0) A (fr = 0) 

THEN 0 

ELSIF (adr = 0) A (fr = 1) 

THEN 1 
ELSE no-cel I 
END IF) 


Finally, the following definition for v_sched was given in module path_funs.spec : 

v-sched : FUNCTION[framejcntr, cell -+ bool] = (A fr, c : 

IF ((fr = 0) A (c = 0)) V ((fr = 1) A (c = 1)) 

THEN true ELSE false 
END IF) 


7.2 Inconsistencies Discovered 

This exercise revealed three inconsistencies in the LE axioms. As originally written, neither 
sched.celLax nor celLof_MB_ax nor MBcell-separation was satisfiable. 

The original sched-celLax was as follows: 
sched.cell-ax : AXIOM 

mm = cell_frame(c) A k = cell-subframe(c) sched_cell(mm, k) = c 


As written, this axiom does not take into account the fact that the returned value of 
sched_cell(mm, k ) is meaningful only when k is a valid subframe of mm. Thus the axiom 
should be, and now is, written in the following way: 

sched-cell-ax : AXIOM 

mm = celLframe(c) A k = cell-subframe(c) 
sched_cell(mm, k) = c A k < num-subframes(mm) 
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The original celLof.M B.ax was as follows: 


celLof.M B.ax : AXIOM 

IF v_sched(fr, cc) A address.within(adr, MBmap(cc, fr)) 
THEN celLof.M B(adr, fr) = cc 
ELSE celLof.M B(adr, fr) = no.cell 
END 


The “else” part of this axiom is simply false; for any valid adr and fr, celLof.M B(adr, fr) 
will return a valid cell, not no.cell. All that we can say about the value that will be returned 
is that it will not be equal to cc. Fortunately, this is all that we need to know, and the axiom 
can be rewritten in the following way: 

celLof.M B_ax : AXIOM 

IF v_sched(fr, cc) A address_within(adr, MBmap(cc, fr)) 

THEN celLof.M B(adr, fr) = cc 
ELSE celLof.M B(adr, fr) ^ cc 
END 


The original MBcell_separation was as follows: 

MBcell.separation : AXIOM 

(ci ^ C2) D address_disjoint(MBmap(ci, fr), MBmap(c2, fr)) 


This axiom does not take into account the fact that we care about the addresses being 
disjoint only if both of the cells in question are scheduled in the current frame. Thus, the 
axiom was changed to be: 

MBcell-separation : AXIOM 

( c i 7^ C2) A v_sched(fr,ci) A v_sched(fr, C2) D 
address_disjoint(MBmap(ci, fr), MBmap(c2, fr)) 


In addition to these 3 inconsistent axioms, an unneeded axiom was discovered, namely 
num.subframes.ax, which was given as follows: 

num _subframes_ax : AXIOM 

fr = cell.frame(c) D cell_subframe(c) < num_subframes(fr) 
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8 Conclusion 


In this paper we present the third phase of the development of the Reliable Computing 
Platform (RCP). This effort has resulted in two additional layers in the formal specification 
hierarchy, bringing the total to six (excluding the clock synchronization hierarchy it is built 
upon). These specifications introduce a more detailed elaboration of the behavior of the 
RCP in three main areas: 

• task dispatching and execution, 

• minimal voting, and 

• interprocessor communication via mailboxes. 

Each of these refinements was developed using the Ehdm mapping facility, which automat- 
ically generates the required proof obligations. Each of these proof obligations has been 
satisfied. In addition, many of the axioms have been shown to be consistent by mapping 
them onto a concrete (albeit unrealistic) instance. This paper presents an overview of the 
more interesting and important proofs. 

Phase 3 does not represent a complete implementation of the RCP. Much work remains to 
carry this detailed design down into a fully operational implementation. However, the design 
is sufficiently mature for the implementation of a meaningful simulator. The simulator is 
currently under development in the Scheme programming language. One part of the system 
remains as a high-level design rather than a detailed design: the interactive consistency 
mechanism. There are many possible algorithms available that could be exploited, but so 
far, no choice has been made for the RCP. 

The RCP represents one of the largest and most complex proofs performed using EHDM. 
The total collection of EHDM specifications and proof directives is 13559 lines long (excluding 
blank lines and most comments). Executing the entire set of proofs requires over 4 hours of 
computation time on a Sparc 10 with 64 Mbytes of memory. 


64 



References 

[1] Di Vito, Ben L.; Butler, Ricky W.; and Caldwell, James L., II: Formal Design and 
Verification of a Reliable Computing Platform For Real-Time Control (Phase 1 Results). 
NASA Technical Memorandum 102716, Oct. 1990. 

[2] Butler, Ricky W.; and Di Vito, Ben L.: Formal Design and Verification of a Reli- 

able Computing Platform For Real-Time Control (Phase 2 Results). NASA Technical 
Memorandum 104196, Jan. 1992. 

[3] Butler, Ricky W.: The SURE Approach to Reliability Analysis. IEEE Transactions on 
Reliability , vol. 41, no. 2, June 1992, pp. 210-218. 

[4] Butler, Ricky W.; and White, Allan L.: SURE Reliability Analysis: Program and 

Mathematics. NASA Technical Paper 2764, Mar. 1988. 

[5] Lamport, Leslie; Shostak, Robert; and Pease, Marshall: The Byzantine Generals Prob- 
lem. ACM Transactions on Programming Languages and Systems, vol. 4, no. 3, July 
1982, pp. 382-401. 

[6] Rushby, John; and von Henke, Friedrich: Formal Verification of a Fault-Tolerant Clock 
Synchronization Algorithm. NASA Contractor Report 4239, June 1989. 

[7] Miner, Paul S.; Padilla, Peter A.; and Torres, Wilfredo: A Provably Correct Design 
of a Fault- Tolerant Clock Synchronization Circuit. In 11th Digital Avionics Systems 
Conference , Seattle, WA,'Oct. 1992, pp. 341-346. 

[8] Miner, Paul S.: An Extension to Schneider’s General Paradigm for Fault-Tolerant Clock 
Synchronization. NASA Technical Memorandum 107634, Langley Research Center, 
Hampton, VA, 1992. 

[9] Miner, Paul S.: A Verified Design of a Fault- Tolerant Clock Synchronization Circuit: 
Preliminary Investigations. NASA Technical Memorandum 107568, Mar. 1992. 

[10] Rushby, John: Improvements in the Formally Verified Analysis of the Interactive Con- 
vergence Clock Synchronization Algorithm and its Extension to a Hybrid Fault Model. 
NASA Contractor Report 194970, 1994. 


65 



A Obligations Generated by Ehdm Mappings 

In earlier sections we have discussed the most important obligations and proofs. For com- 
pleteness we list all of the obligations produced by Ehdm mapping statements: 

A.l Module generic_FT_to_minimal_v 

ps,X,Y : VAR Pstate 

р, i,j : VAR processors 
u : VAR inputs 

w : VAR M Bvec 

A, B : VAR set [processors] 

с, d,e : VAR cell 

K : VAR control-state 
H : VAR nat 

recovery_period_ax : OBLIGATION recovery-period > 2 

succ-ax : OBLIGATION f.k(f_n(ps)) = succ(f_k(ps)) 

control _nc : OBLIGATION f_k(f.c(u, ps)) = f.k(ps) 

cells-nc : OBLIGATION f.t(f.n(ps),c) = f-t(ps,c) 

full_recovery : OBLIGATION H > recovery-period D recv(c, K , H) 

initial-recovery : OBLIGATION recv(c, K, H) D H >2 

dep_recovery : OBLIGATION 

recv(c, succ(K),H + l) A dep(c,d,/if) D rec v(d,K,H) 

components.equal : OBLIGATION 

f-k(X) = f_k(Y) A (Vc:f-t(A',c) = f.t(Y,c)) D X = Y 

control-recovered : OBLIGATION 

majjcondition(A) A (V p : member(p, A) D w(p) = f_s(ps)) D f_k(f_v(Y, «;)) = f-k(ps) 

cell-recovered : OBLIGATION 
majjCondition(A) 

A (V p : member(p, A) D w(p) = f_s(f_c(u, ps))) 

A f-kCX) = K A f-k(ps) = K A dep_agree(c, K, X, ps) 

D f.t(f-v(f_c(u, X), w), c ) = f-t(f.c(u, ps), c) 

vote-maj : OBLIGATION 

majjCondition(A) A (V p : member(p, A) D w(p) = f-s(ps)) D f_v(ps,ui) = ps 
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A. 2 Module DA_to_DA_minv 


da : VAR DAstate 
u : VAR inputs 
i,P,<h qq : VAR processors 
T ; VAR number 
X,Y : VAR number 
D : VAR number 

broadcast-duration : OBLIGATION 

(1 - Rho) * abs(duration(broadcast) - 2 * v * duration(compute) - v * duration(broadcast)) - 6 
> max_comm_delay 

broadcast_duration2 : OBLIGATION 

duration(broadcast) — 2 * v * duration(compute) — v * duration(broadcast) > 0 
all-durations : OBLIGATION 

(1 + u) * duration(compute) + (1 + v) * duration(broadcast) < frameJime 

pos_durations : OBLIGATION 
0 < (1 - v) * duration(compute) 

A 0 < (1 - v) * duration(broadcast) 

A 0 < (1 - u) * duration(vote) A 0 < (1 - v) * duration(sync) 

A. 3 Module rcp_defs_imp_to_hw 

k : VAR nat 
mem : VAR memory 
cc, xx : VAR cell 
cs : VAR cell .state 

cells_ax : OBLIGATION cs_length(cell_mem(mem, cc)) = cJength(cc) 

write.celLax : OBLIGATION 
csJength(cs) = cJength(xx) 

3 CS-eq(cell_mem(write.cell(mem ) xx, cs), cc), 

IF cc = xx THEN cs ELSE cell_mem(mem, cc) END) 

nulLmemory-ax : OBLIGATION CS-eq(celLmem(memO, cc), csO(cc)) 

mb : VAR MBbuf 

cebuf.ax : OBLIGATION cs.length(cebuf(mb, cc)) = cJength(cc) 

cell_state.varl, cell_state_var2, cell_state_var3 : VAR cell-state 
control_state_varl, control_state_var2, control_state_var3 : VAR control-state 

cell-state.reflexive : OBLIGATION CS.eq(cell_state_varl, cell_state_varl) 
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cell_state_symmetric : OBLIGATION 
CS_eq(cell_state_varl, cell_state-var2) D CS-eq(cell.state_var2, cell-state.varl) 

cell_state_transitive : OBLIGATION 

CS-eq(cell-state_varl, cell_state_var2) A CS_eq(cell_state_var2, cell_state_var3) 

D CS.eq(cell_state_varl, cell-state_var3) 

control_state_reflexive : OBLIGATION cnst_eq(control_$tate_varl, control-state.varl) 
control-state-symmetric : OBLIGATION 

cnst-eq(control-state_varl, control_state_var2) D cnst_eq(control_state_var2, control-state.varl) 

control-state.transitive : OBLIGATION 
cnst_eq(control_state_varl, control_state_var2) 

A cnst.eq(control_state_var2, control_state_var3) 

D cnst_eq(control_state_varl, control_state_var3) 

frame-congruence : OBLIGATION 
cnst_eq(control_state_varl, control_state_var2) 

D frame( control-state.varl) = frame(control-state_var2) 

csJength.congruence : OBLIGATION 
CS^eq(cs, cell-state.varl) D cs.length(cs) = csJength(cell.state_varl) 

write.cell.congruence : OBLIGATION 

CS_eq(cs, cell-state.varl) D write.cell(mem, cc, cs) = write_cell(mem, cc, cell-state.varl) 

A.4 Module gen_com_to_hw 

р, i,j : VAR processors 
k,l,q : VAR sub-frame 
u : VAR inputs 

A : VAR set [processors] 

с, d,e : VAR cell 

C, D : VAR memory 
w : VAR MBvec 
h : VAR MBmatrix 
us, ps, X , Y : VAR Pstate 
cs : VAR cell-state 
fr : VAR frame_cntr 
K, L : VAR control-state 

memoryjequal : OBLIGATION 

(V c : CS_eq(cell_mem(C', c), cell-mem(Z>,c))) D C = D 

exec-task-ax : OBLIGATION 
sched_cell(frame(ps. control), q) / c 
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D CS-eq(cell_mem(exec_task(u, ps, g).memry, c), cell_mem(ps.memry, c)) 


exec_task-ax-2 : OBLIGATION 
cnst_eq(exec_task(u, ps, q). control, ps. control) 


A. 5 Module frame_funs_to_gc_hw 


K : VAR control-state 

succ_cntr_ax : OBLIGATION frame(succ_cs(iif)) = next_fr(frame(A)) 

pred.cntr_ax : OBLIGATION frame(pred_cs(JiL')) = prev-fr(frame(/i r )) 

pred_succ_ax : OBLIGATION cnst_eq(pred_cs(succ_cs(A')), K) 

succ_congruence : OBLIGATION 
cnst_eq(A', control_state_varl) 

D cnst_eq(succ_cs( K), succ.cs(control.state_varl)) 

pred_congruence : OBLIGATION 
cnst_eq(A, control_state_varl) 

D cnst_eq(pred.cs(ii'), pred.cs(control-state.varl)) 


A. 6 Module minimal_v/_to_minimal_hw 

k,l : VAR nat 
c, d : VAR cell 
H : VAR nat 
C, D : VAR memory 
ps,A,Y : VAR Pstate 
w : VAR M Bvec 
K, L : VAR control-state 
cc : VAR cell 
q, sf : VAR sub-frame 
cfn : VAR cell.fn 

cell-apply.MAP-EQ : OBLIGATION 
(IF k = 0 V k > num-cells THEN C 
ELSE 

IF v_sched(frame(A'), k — 1) 

THEN write-cell(cell_apply(cfn, K, C, k — 1 ),k- 1, cfn(fc — 1)) 
ELSE cell_apply(cfn, K,C,k- 1) END 
END 

= IF fc = 0 V k> num.cells THEN C 
ELSE 

IF v_sched(frame(iT), k — 1) 
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THEN write_cell(cell_apply(cfn, K , C, k - l),fc- 1, cfn(fc - 1)) 
ELSE cell.apply(cfn,.fi:,C,Jfc- 1) END 
END) 

f jjx : OBLIGATION 
IF v_sched(frame(ps.control), cc) 

THEN CSjeq(cebuf(f_s(ps), cc), cell_mem(ps.memry, cc)) 

ELSE CS_eq(cebuf(f_s(ps), cc), csO(cc)) END 

f_s_control.ax : OBLIGATION cnst_eq(cnbuf(f -s(ps)), ps.control) 

f_v-ax : OBLIGATION 
cnst_eq(f_v(ps, tu). control, k_maj(u?)) 

A f.v(ps, uj).memry 

= cell_apply((A c : t_maj(u>,c)), ps.control, ps.memry, num_cells) 

celLinput.constraint : OBLIGATION 
cnst_eq( A.control, Y.control) 

A sched_cell(frame(X.control),g) = c 
A (V d : cell_input(d, c) D cells_match(A’, Y,d)) 

D cells_match(exec-task(ti, X,q), exec_task(u, Y,g),c) 


A. 7 Module maj_funs_to_minimal_hw 

A : VAR set [processors] 
c : VAR cell 
w : VAR MBvec 
cs : VAR cell-state 
K : VAR controljstate 
p : VAR processors 
k-maj-ax : OBLIGATION 

(3 A : maj-Condition(A) A (V p : member(p, A) D cnst_eq(cnbuf(tw(p)), K))) 
D cnst_eq(k_maj(ty), K) 

t.maj-ax : OBLIGATION 

(3A: 

maj_condition(A) A (V p : member(p, A) D CS_eq(cebuf( w(p),c), cs))) 

D CSjeq(t_maj(ty,c), cs) 

t_majJen_ax : OBLIGATION csJength(t_maj(u>,c)) = cJength(c) 


A. 8 Module DA_minv_to_LE 


da : VAR DAstate 
u : VAR inputs 
i, p, q, qq : VAR processors 
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T : VAR number 
X,Y : VAR number 
D : VAR number 

broadcast-duration : OBLIGATION 

(1 — Rho) * abs(duration(broadcast) — 2 * v * duration(compute) — v * duration(broadcast)) — b 
> max_comm_delay 

broadcast_duration2 : OBLIGATION 
duration( broadcast) — 2 * v * duration(compute) — v * duration(broadcast) 

> 0 

alLdurations : OBLIGATION 

(1 + v) * duration(compute) + (1 + v) * duration(broadcast) < frame-time 

pos.durations : OBLIGATION 
0 < (1 - v) * duration(compute) 

A 0 < (1 — r/) * duration(broadcast) 

A 0 < (1 — v) * duration (vote) A 0 < (1 — v) * duration(sync) 

A. 9 Module maxf_to_maxf_model 

5 : VAR finite_set[nat] 
a, b : VAR nat 
max_ax : OBLIGATION 
(member(a, S ) D max(5) >- a) 

A IF empty(S) 

THEN max(S) = 0 
ELSE 

(3 b : member(6, 5) A b = max(S)) END 

A. 10 Module maj_hw_to_maj_hw_model 

A : VAR set [processors] 
c : VAR cell 
w : VAR MBVEC 
cs : VAR cell-state 
K : VAR control-state 
p : VAR processors 
k_maj_ax : OBLIGATION 

(3 A : maj_condition(A) A (V p : member(p, A) D cnst_eq(cnbuf (u;(p) ), K))) 

D cnst_eq(k_maj(tu), K) 

t-maj jx : OBLIGATION 

(3 A: 

maj-condition(A) A (V p : member(p, A) D CS.eq(cebuf(ti>(p),c), cs))) 

D CS_eq(t_maj(w, c), cs) 


♦ 
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t_majJen_ax : OBLIGATION cs_length(t_maj(w,c)) = cJength(c) 


A. 11 Module RS_majority_to_RS_maj_model 

k : VAR nat 
p : VAR processors 
us : VAR Pstate 
rs : VAR RSstate 
A : VAR set [processors] 

majjexists : FUNCTION[RSstate — * boolean] = 

(A rs : 

(3 A, us : 

maj_condition(A) A (V p : member(p, A) D (rs(p)).proc_state = us))) 
maj-ax : OBLIGATION 

(3 A : maj_condition(A) A (V p : member(p, A) D (rs(p)).proc_state = us)) 
D maj(rs) = us 

A.12 Module algorithm-mapalgorithm 

T, To, Ti,X, II : VAR number 

t : VAR period 

p,q,r : VAR proc 

rr, ii, qq, nn : VAR nat 

s : VAR proc_set 

n : proc = nrep 

Ao : OBLIGATION skew (p,q, T_sup(0),0) < deltaO 
A 2 : OBLIGATION 

nonfaulty(p,i) A nonfaulty(g, *) A SlC(p, g, t) A S 2 (p,i) A S 2 (q,i) 

D abs(Delta2(q,p,i)) < S 
A (3 To : 
in_S _interval(To, i) 

A abs(rt(p,i,T 0 + Delta2(g,p, t)) - rt(g,t,T 0 )) < eps) 

A2_aux : OBLIGATION Delta2(p,p, t) = 0 

Co : OBLIGATION ngood(i) > 0 

C 2 : OBLIGATION 5 > E 

C 3 : OBLIGATION E > A 

C 4 : OBLIGATION A > 6 + eps + half(p) * S 
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C s : OBLIGATION 6 > deltaO + p*R 
C 6 : OBLIGATION 

6 >2* (eps + p* S) + 2* nfaulty(i) * A/ngood(t) 
4- n * p * i2/ngood(i) 

+ p * A 

+ n * p * E/ngood(i) 

C6_opt : OBLIGATION 
6 > 2 * (eps + p * S) * (ngood(i) - l)/ngood(i) 

+ 2 * nfaulty(i) * A/ngood(i) 

+ n * p* U/ngood(i ) 

•f p * A * (ngood(i) — l)/ngood(i) 

+ n* p* E/ngood(t) 
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B Ehdm Status Reports: M-x amps, mpcs, amos 

The following reports were generated by EHDM after completion of the specification and 
proof activities. Included are the following reports: 

1. Module Proof Chain Status (mpcs) 

2. All Module Proof Status (amps) 

3. All Module Obligation Status (amos) 

Refer to the Ehdm user documentation for detailed explanations of the report formats. Note 
that to conserve space some portions of these reports have been deleted so that only the more 
useful items of information are presented. The complete status reports can be obtained from 
the FTP directory cited in section 1.5. 

B.l Module Proof Chain Status (mpcs) 

Excerpts of this report have been reproduced below with the “terse proof chains” moved to 
the end. 


SUMMARY 

The proof chain is complete 

All TCCs and module assumptions have been proved 

The axioms and assumptions at the base are: 
cardinality ! card.ax 
cardinality ! card. empty 
cardinality ! card.subset 
cell.f uns ! sched.cell.ax 
frame.funs lpred.cntr.ax 
frame.funs !pred_succ_ax 
functionsl ! extensionalityl 
LE ! all.durat ions 
LE ! broadcast. durat ion2 
mailbox.hw ! map.ax 
mailbox.hw ! MB cell .separation 
mailbox.hw ! MBmap.high.ax 
mailbox.hw ! MB.size.ax 
maxf .model fubound.ax 
memory .generic ! addrs.ty.extensionality 
naturalnumbers Inat .invariant 
noetherian ! general .induct ion 
numbers Imult.pos 

path.f uns ! full.recovery.condition 
phase.defs ! distinct .phases 


74 



phase.def s {member .phases 
rcp.defs.hw ! cells.for.all.ax 
rcp.defs.hw ! cell.map.length.ax 
rcp.defs.hw ! cell. separat ion 
rcp.defs.hw ! control.state.extensionality 
recursive.maj ! card.add 
to.minimal.hw.prf .2 ! t.writ e.set.ax.l 
t o.minimal _hw_prf _2 ! t _ wr it e_s et _ax.2 
Total : 28 

The definitions and type-constraints are: 
absolutes ! abs 

USIN.us 
Total: 196 

The formulae used are: 
absolutes ! abs 

USIH.us 
Total: 1069 

The completed proofs sore: 
absolutes ! abs_div2_proof 

to.minimal.hw.prf .2 ! p_CS_eq_need 
Total: 781 


Terse proof chains for module everything 

RS.ma j or ity ! ma j _ax 

is shown to be a consistent axiom by mapping module 
to.RS.ma j .model 

generic.FT ! vote.maj 

is shown to be a consistent axiom by mapping module 
to.minimal.v 

maxf ! max _ ax 

is shown to be a consistent axiom by mapping module 
to.maxf .model 

rcp.def s.imp ! cells.ax 

is shown to be a consistent axiom by mapping module 
to.hw 

maj.funs !t_maj_len_ax 

is shown to be a consistent axiom by mapping module 
to.minimal.hw 

maj .hw ! H_ma j _ax 

is shown to be a consistent axiom by mapping module 
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to.maj _hw ..model 


na j _hw ! t.ma j _ax 

is shown to be a consistent axiom by mapping module 
to.maj .hw.model 

gen.com ! memory. equal 

is shown to be a consistent axiom by mapping module 
to.gc.hw 

rcp.def s.imp ! Pstate.extensionality 

is shown to be a consistent axiom by mapping module 
to.hw 

minimal.v ! f _v_ax 

is shown to be a consistent axiom by mapping module 
to.minimal.hw 

minimal. v tl.s_control.ax 

is shown to be a consistent axiom by mapping module 
to.minimal.hw 

minimal.v I cell.input. constraint 

is shown to be a consistent axiom by mapping module 
to.minimal.hw 

gen.com ! exec.task.ax_2 

is shown to be a consistent axiom by mapping module 
to_gc_hw 

gen.com ! exec.task.ax 

is shown to be a consistent axiom by mapping module 
to.gc.hw 

rcp.def s. imp! write. cell, ax v 

is shown to be a consistent axiom by mapping module 
to.hw 

minimal.v ! l.s.ax 

is shown to be a consistent axiom by mapping module 
to.minimal.hw 

generic.FT ! component s.equal 

is shown to be a consistent axiom by mapping module 
to.minimal.v 

generic.FT ! f ull.recovery 

is shown to be a consistent axiom by mapping module 
to.minimal.v 

generic.FT ! recovery .period.ax 

is shown to be a consistent axiom by mapping module 
to.minimal.v 
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generic_FT ! control.recovered 

is shown to be a consistent axiom by mapping module 
to_minimal_v 

generic_FT ! succ.ax 

is shown to be a consistent axiom by mapping module 
to_minimal_v 

generic_FT ! cell_recovered 

is shown to be a consistent axiom by mapping module 
to_minimal_v 

generic.FT ! dep.recovery 

is shown to be a consistent axiom by mapping module 
to_minimal_v 

generic.FT ! initial.recovery 

is shown to be a consistent axiom by mapping module 
to_minimal_v 

generic_FT ! control_nc 

is shown to be a consistent axiom by mapping module 
to_rainimal_v 

generic_FT ! cells_nc 

is shown to be a consistent axiom by mapping module 
to_minimal_v 

algorithm ICO 

is shown to be a consistent axiom by mapping module 
mapalgorithm 

algorithm I C3 

is shown to be a consistent axiom by mapping module 
mapalgorithm 

time! Cl 

is shown to be a consistent axiom by mapping module 
maptime 

algorithm I C2 

is shown to be a consistent axiom by mapping module 
mapalgorithm 

DA !pos_durations 

is shown to be a consistent axiom by mapping module 
to_DA_minv 

DA.minv ! broadcast_durat ion 

is shown to be a consistent axiom by mapping module 
to_LE 
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algorithm! AO 

is shown to be a consistent axiom by mapping module 
mapalgorithm 

algorithm !C6 

is shown to be a consistent axiom by mapping module 
mapalgorithm 

algorithm! A2 

is shown to be a consistent axiom by mapping module 
mapalgorithm 

algorithm ! 04 

is shown to be a consistent axiom by mapping module 
mapalgorithm 

algorithm ! A2_aux 

is shown to be a consistent axiom by mapping module 
mapalgorithm 

algorithm ! C6_opt 

is shown to be a consistent axiom by mapping module 
mapalgorithm 


B.2 All Module Proof Status (amps) 

This report is reproduced in its entirety. 


Proof status for modules on using chain of module everything 
Proof summary for module words 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module def ined_types 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 


Proof summary for module nat.types 

p.upto.TCCl PROVED 

p_upf romJTCCi PROVED 

p J>elowJTCCl PROVED 

p_above_TCCl PROVED 

Totals: 4 proofs, 4 attempted, 4 succeeded, 2 seconds. 

Proof summary for module interp_rcp 

p_processors_TCCl PROVED 

Totals: 1 proofs, 1 attempted, 1 succeeded, 0 seconds. 

Proof summary for module numeric_types 

p_posnum_TCCl PROVED 

p_nonnegnum_TCCl PROVED 

p_fraction_TCCl PROVED 


1 seconds 

0 seconds 

1 seconds 
0 seconds 


0 seconds 


0 seconds 

1 seconds 
0 seconds 
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Totals: 3 proofs, 3 attempted, 3 succeeded, 1 seconds. 


Proof summary for module arithmetics 

quotient .pos.proof PROVED 

mult _mon_pr oof PROVED 

div.mon.proof PROVED 

div.mult.proof PROVED 

mult _pos .alt .proof PROVED 

mult _mon2_pr oof PROVED 

div_mon2 .proof PROVED 

Totals: 7 proofs, 7 attempted, 7 succeeded, 4 seconds. 

Proof summary for module noetherian 

mod.proof PROVED 

Totals: 1 proofs, 1 attempted, 1 succeeded, 2 seconds. 

Proof summary for module natprops 

diff .zero.proof PROVED 

pred.diff _ proof PROVED 

dif f 1 .proof PROVED 

diff.diff .proof PROVED 

diff .plus.proof PROVED 

diff .ineq.proof PROVED 


Totals: 6 proofs, 6 attempted, 6 succeeded, 12 seconds. 
Proof summary for module phase.defs 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 


Proof summary for module sets - 

p.extensionality PROVED 

Totals: 1 proofs, 1 attempted, 1 succeeded, 1 seconds. 

Proof summary for module rcp.defs.i 

processor s.TCCl.PRQOF PROVED 

Totals: 1 proofs, 1 attempted", 1 succeeded, 0 seconds. 

Proof summary for module memory.generic 

p.address.ty.TCCl PROVED 

p_address.range_ty.TCCl PROVED 

p.addr.len.ty.TCC 1 PROVED 

p.test PROVED 

Totals: 4 proofs, 4 attempted, 4 succeeded, 6 seconds. 

Proof summary for module finite.sets 

finite_set_TTCl PROVED 


Totals: 1 proofs , 1 attempted, 1 succeeded, 2 seconds. 

Proof summary for module rcp_defs_i2 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module nat. induct ions 


discharge PROVED 

nat.induction PROVED 


0 seconds 

1 seconds 

0 seconds 

1 seconds 

0 seconds 

1 seconds 
1 seconds 


2 seconds 


1 seconds 

2 seconds 
2 seconds 
4 seconds 

1 seconds 

2 seconds 


1 seconds 


0 seconds 


0 seconds 

1 seconds 
0 seconds 
5 seconds 


2 seconds 


0 seconds 

1 seconds 
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nat.complete PROVED 

reachability PROVED 


Totals: 4 proofs, 4 attempted, 4 succeeded, 3 seconds. 

Proof summary for module bounded. induct ion 

p.upto. induct ion 

p.well.founded 

p.reachability 

Totals: 3 proofs, 3 attempted, 3 succeeded, 4 seconds. 

Proof summary for module maprcp 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module absolutes 


abs .times .proof PROVED 

abs_recip.TCCl.pr PROVED 

abs.recip.proof PROVED 

abs.div.proof PROVED 

abs .proof 0 PROVED 

abs.proof 1 PROVED 

abs.proof 2 ^ PROVED 

abs.proof 2b PROVED 

abs.proof 2c PROVED 

abs.proof 3 PROVED 

abs.proof 4 PROVED 

abs.proof 5 PROVED 

abs.proof 6 PROVED 

abs.proof 7 PROVED 

abs.proof 8 .PROVED 

pos.abs.proof PROVED 

abs_div2_proof PROVED 

rearrange 1_ proof PROVED 

rearrange2_proof PROVED 

rearrange.proof PROVED 

rearrange.alt.proof r PROVED 

p.abs.leq * PROVED 


Totals: 22 proofs, 22 attempted, 22 succeeded, 27 seconds. 

Proof summary for module nat induct ion 

discharge 

ind.proof 

ind.m.proof 

mod.m.proof 

mod. induct ion.pr oof 

induct ion 1. proof 

mod.induct ionl.proof 

induct ion2.proof 

Totals: 8 proofs, 8 attempted, 8 succeeded, 26 seconds. 

Proof summary for module cardinality 


empty.prop.proof PROVED 

subset .union.proof PROVED 

twice.proof PROVED 


PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 


PROVED 

PROVED 

PROVED 


1 seconds 
1 seconds 


3 seconds 
1 seconds 
0 seconds 


6 seconds 

0 seconds 
4 seconds 

1 seconds 
0 seconds 

0 seconds 
4 seconds 

1 seconds 

0 seconds 

1 seconds 

2 seconds 
0 seconds 
0 seconds 
0 seconds 
4 seconds 

0 seconds 

1 seconds 

0 seconds 

1 seconds 
1 seconds 

0 seconds 

1 seconds 


0 seconds 

1 seconds 

2 seconds 
8 seconds 

3 seconds 
1 seconds 
7 seconds 
3 seconds 


0 seconds 
2 seconds 

1 seconds 


80 



card.proof 

Totals: 4 proofs, 4 attempted, 4 succeeded, 4 seconds. 


1 seconds 


PROVED 


Proof summary for module rcp_defs 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 
Proof summary for module maxf .model 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module MBmeraory_def s 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module memory _defs 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module nat ..pigeonholes 


PROVED 2 

bnd occ.sum PROVED 9 

no occ PROVED 87 

no occ 2 P ROVED 21 

one_occ PROVED 26 

all_occ_all_base PROVED 9 

all_occ_all_ind_base PROVED 2 

all_occ_all_ind_ind_l PROVED 3 

all_occ_all_ind_.ind._2 PROVED 4 

all_occ_all_ind PROVED 5 

PROVED 1 

one_occ_exists_l PROVED 48 

one_occ_exists_2 * PROVED 20 

dup_bnd_occ_l_ind PROVED 16 

dup_bnd_occ_l PROVED 3 

dup.bnd. _occ_2_ind PROVED 18 

dup_bnd_occ_2 PROVED 9 

dup_bnd_occ PROVED 1 

pigeonhole_general r PROVED 1 

pigeonhole_duplicates PROVED 0 


Totals: 20 proofs, 20 attempted, 20 succeeded, 285 seconds. 
Proof summary for module maxf 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module cell_funs 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module rcp_defs_imp 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module rcp_def s_i_maprcp 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module interptime 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 


seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 
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Proof summary for module sigmaprops 

sc.basis.proof PROVED 

sc.step.proof PROVED 

sc.proof PROVED 

sm.bas is .proof . .PROVED 

sm.step.proof PROVED 

sm.proof PROVED 

mod.sigma.mult .proof .PROVED 

ss.basis.proof PROVED 

ss.step.proof PROVED 

ss.proof PROVED 

slb.proof PROVED 

sls.proof PROVED 

sigmal.proof PROVED 

srb.proof PROVED 

srp.proof PROVED 

sigma.rev.proof PROVED 

split .basis. proof . PROVED 

split. step.proof * PROVED 

split .proof PROVED 

sa.basis.proof PROVED 

sa. step.proof PROVED 

sa_proof PROVED 

bounded.proof PROVED 

sb. bas is. proof PROVED 

alt.sigma.bound_one.step.proof PROVED 

sigma.split.proof PROVED 

alt.sb.step.proof PROVED 

sb.step.proof : PROVED 

sb.proof PROVED 

sigma.bound.proof PROVED 

Totals: 30 proofs, 30 attempted, 30 succeeded, 106 seconds. 

Proof summary for module time 

posR.proof . . PROVED 

posS.proof PROVED 

SinR.proof PROVED 

T.next .proof PROVED 

Ti.proof PROVED 

inRS .proof PROVED 

Ti.in.S.proof PROVED 

in.S.proof PROVED 

Totals: 8 proofs, 8 attempted, 8 succeeded, 6 seconds. 

Proof summary for module proc.sets 

p.nat .nit PROVED 

p.card.fullset PROVED 

discharge.f inite PROVED 

Totals: 3 proofs, 3 attempted, 3 succeeded, 2 seconds. 


Proof summary for module to.maxf .model 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 


1 seconds 

0 seconds 

2 seconds 

1 seconds 

3 seconds 

4 seconds 
1 seconds 
1 seconds 
3 seconds 
6 seconds 
1 seconds 
1 seconds 
6 seconds 
1 seconds 

1 seconds 

6 seconds 
3 seconds 

7 seconds 
13 seconds 

2 seconds 

3 seconds 
3 seconds 
2 seconds 
2 seconds 
1 seconds 
1 seconds 

1 seconds 
0 seconds 

28 seconds 

2 seconds 


0 seconds 

0 seconds 

1 seconds 

0 seconds 

1 seconds 
1 seconds 

1 seconds 

2 seconds 


0 seconds 

1 seconds 
1 seconds 
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Proof summary for module rcp.defs.hw 

p_csO_TCCl PROVED 

p_writ«_cell_TCCl PROVED 

p_c«ll_map_high_ax PROVED 

p_c«ll_map_l«ngth_lem PROVED 

p_cell_map_low_lem PROVED 

Totals: 5 proofs, B attempted, 5 succeeded, B seconds. 

Proof summary for module cell.inductions 

reachability PROVED 

cell.nat .induction PROVED 

c3_well_f ounded PROVED 

cell_nat_induction_2 PROVED 

n3_well_f ounded PROVED 

path_cell_nat_induction PROVED 

n5_well_f ounded PROVED 

Totals: 7 proofs, 7 attempted, 7 succeeded, 36 seconds. 

Proof summary for module path.funs 

rec.set.TCCl PROVED 

NF_rec_set_TCCl PROVED 

path.len_set.TCCl PROVED 

all_rec_set_TCCl PROVED 


Totals: 4 proofs, 4 attempted, 4 succeeded, 17 seconds. 
Proof summary for module maj.funs 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 
Proof summary for module to.imp 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module interpclocks 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module maptrime 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 


Proof summary for module proc_ induct ion 

p.processors.induction PROVED 

p.well_f ounded PROVED 

p.reachability PROVED 

proc.plus _TCC 1 .PROOF PROVED 

Totals: 4 proofs, 4 attempted, 4 succeeded, 5 seconds. 

Proof summary for module sums 

counter.converseO.proof PROVED 

counter.converse.i.proof PROVED 

counter.converse.proof i PROVED 

partsumsO.proof PROVED 

part sums, i.pr oof PROVED 

part sum.proof PROVED 

part.lem.proof PROVED 

part.partsums.proof PROVED 


1 seconds 

2 seconds 

0 seconds 

1 seconds 
1 seconds 


0 seconds 

7 seconds 
0 seconds 

8 seconds 
0 seconds 

21 seconds 
0 seconds 


4 seconds 

5 seconds 
4 seconds 
4 seconds 


4 seconds 

0 seconds 

1 seconds 
0 seconds 


5 seconds 
35 seconds 

6 seconds 
3 seconds 
9 seconds 

12 seconds 
3 seconds 
2 seconds 
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part _count .proof PROVED 

aum_countO_proof . PROVED 

sum.count.ind.proof PROVED 

sum. count .proof PROVED 

count er.boundO.pr oof . ; PROVED 

intermediate.proof PROVED 

count er .bound. i.pr oof . .PROVED 

count er.bound.pr oof PROVED 

mean.lemma.proof PROVED 

split.sum.proof PROVED 

split .mean.proof * PROVED 

sum.bound.mod.proof PROVED 

sum.bound0.proof PROVED 

sum.bound.proof PROVED 

mean.bound.proof PROVED 

mean.const.proof PROVED 

sum.mult .proof PROVED 

mean.mult.proof PROVED 

mean, sum.pr oof PROVED 

mean.diff .proof PROVED 

abs.sum.proof PROVED 

abs .mean.proof PROVED 

rearrange, sub.proof PROVED 

rearrange, sum.proof PROVED 

p.sigma.restrict.O PROVED 

p.sigma.restrict.s PROVED 

p.sigma.restrict PROVED 

p.sig.restrict PROVED 

p.sum.restrict .* PROVED 

p_sum.restrict.eq PROVED 

p_mean.restrict.eq PROVED 


Totals: 39 proofs, 39 attempted, 39 succeeded, 242 seconds. 
Proof summary for module clocks 


rho.pos.proof r PROVED 

rho.small.proof ’ PROVED 

dimini sh.pr oof PROVED 

monoproof PROVED 


Totals: 4 proofs, 4 attempted, 4 succeeded, 5 seconds. 

Proof summary for module generic.FT 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module maxf.to.maxf .model 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module mmu.def 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 
Proof summary for module recursive.maj 


card, singlet on PROVED 

nrep.f ullset PROVED 

union.plus.one PROVED 
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5 seconds 
1 seconds 
7 seconds 
4 seconds 

18 seconds 
1 seconds 
9 seconds 
7 seconds 
1 seconds 

6 seconds 
10 seconds 

4 seconds 
1 seconds 
4 seconds 
3 seconds 


Proof summary lor module mailbox.hw 

p.MBcell.TCCl 

p.MBmap.low.lem 

p.MBmap.lem 

p.MBmap_lem.2 

Totals: 4 proofs, 4 attempted, 4 succeeded, 6 seconds. 

Proof summary for module frame.funs 

p.succ.le.plus 

p„mod.minus_zero 

p.mod.minus.plus 

Totals: 3 proofs, 3 attempted; 3 succeeded, 22 seconds. 

Proof summary for module rcp.def s.to.imp 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module interpalgorithm 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module time_maptime 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module mapclocks 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module algorithm 

p.gbl.O . 

p_gbl_s 

P-g bl 

P-g bl 

good.bad.prool 

SIC.self .proof 

C6.TCC1.PR00F 

pos.terms 

COa.proof 

Al.proof 



PROVED 2 seconds 
PROVED 1 seconds 
PROVED 2 seconds 
PROVED 1 seconds 


PROVED 0 seconds 
PROVED 4 seconds 
PROVED 18 seconds 


intersect ion.plus. one PROVED 

cfen.base. PROVED 

clen.ind PROVED 

card.f ullset.eq.nrep PROVED 

ma j .cond.unique PROVED 

rml.base PROVED 

rml.ind PROVED 

rec.ma j .lemma PROVED 

maj .card.lemma PROVED 

rec.maj.cond PROVED 

rec.ma j _cond.2 PROVED 

r ec.maj _cond_3 PROVED 

zp.base PROVED 

zp.ind PROVED 

zpred.pre served PROVED 


Totals: 18 proofs, 18 attempted, 18 succeeded, 94 seconds. 
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C2and3_proof PROVED 

npos.proof PROVED 

clock.proof . . . . . PROVED 

D2bar_prop_proof PROVED 

SIC.lemma.proof PROVED 

Theorem_2_proof PROVED 


Totals: 16 proofs, 16 attempted, 16 succeeded, 206 seconds. 
Proof summary for module DS 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module US 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module RS 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module maj.hw.model 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module maxf.to.maxf .model _prf 


below.empty.eq PROVED 

below_empty.nl PROVED 

below. empty_n2 PROVED 

rmax.bound PROVED 

max_ax_base PROVED 

max.ax.ind.i PROVED 

max_ax_ind_2_a PROVED 

max_ax_ind_2_b t PROVED 

max_ax_ind_2 PROVED 

max _ax_ ind PROVED 

max.ax PROVED 


Totals: 11 proofs, 11 attempted, 11 succeeded, 244 seconds. 
Proof summary for module majihw 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module gc.hw 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module RS.maj .model 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module to.hw 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module gen.com 


P-.exe.base PROVED 

p_exec.ctrl.base PROVED 

p_exec.ctrl.ind PROVED 

p.exec.ctrl PROVED 

P.LEM2.0 PROVED 

p.LEM2.s PROVED 
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p_LEM2 PROVED 

p_exe_ind_l PROVED 

p_exe_ind_2 PROVED 

p_exec_element PROVED 


Totals: 10 proofs, 10 attempted, 10 succeeded, 32 seconds. 

Proof summary for module clocks_mapclocks 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module mapalgorithm 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 


Proof summary for module juggle_opt 

mult_div_proof PROVED 

stepl_proof PROVED 

step2 proof PROVED 

final PROVED 

r earrange_delt a_opt _TCC 1 .proof PROVED 

Totals: 6 proofs, 5 attempted, 5 succeeded, 20 seconds. 

Proof summary for module clockprops 

i2R_proof PROVED 

upper _bound_proof PROVED 

basis_proof . . . PROVED 

small_shift_proof PROVED 

ind.proof PROVED 

adj _pos_proof PROVED 

lower _bound_proof PROVED 

lower bound2_proof PROVED 

gc.proof PROVED 

bounds_proof PROVED 

rmproof PROVED 

full_part_sum_proof PROVED 


Totals: 12 proofs, 12 attempted, 12 succeeded, 26 seconds. 
Proof summary for module DSJto_RS 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module RS_majority 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module to_maj_hw_model 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 


Proof summary for module minimal_hw 

p_f _s_mem_TCCl PROVED 

P-f-S_lem_TCCl PROVED 

p_f _s_lem_TCC2 PROVED 

p_cell_fn_TCCl PROVED 

Totals: 4 proofs, 4 attempted, 4 succeeded, 10 seconds. 

Proof summary for module gc_hw_prf 

p_small_lem PROVED 
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pJbLide_sm_lem_0. . PROVED 4 

p _hide_sm_lem_s . PROVED 45 

p_hide_sm_lem PROVED 1 

p_small_eq_lem. . . PROVED 1 

p_me_lem_0 PROVED 5 

p_m«_l*®_8 la PROVED i 1 

p_im_slb PROVED 1 

p_me_lem_slb PROVED 31 

p_me_lem_s 1 PROVED 1 

P-me_lem_s2 PROVED 2 

p_me_lem_s PROVED 3 

p_me_lem PROVED 3 

p_match_exists_lem PROVED 2 

p_match„exi8ts - lem2a PROVED 4 

p_mat ch_ exists _1 em2b PROVED 4 

p_mat ch_ exists _1 em3 PROVED 8 

p_smallest_adr_lem PROVED 12 

p_mel4a PROVED 41 

p_match_exists_lem4 .PROVED 3 

p.writ e_em_prop_n_0 PROVED 4 

p.wepl PROVED 2 

p_wep2b PROVED 3 

p_wep2 PROVED 6 

p_wep4_a .PROVED 2 

p_wep4_b PROVED 2 

p_wep4 PROVED 4 

p.wep^sl PROVED 145 

p.wep_s2 PROVED 11 

p_wep_s3 PROVED 31 

p_wepns_lem PROVED 2 

p_write_em_prop_n_s PROVED 1 

p_wr ite_em_prop_n PROVED 1 

p_write_em_prop PROVED 5 

p_wr ite_em_lem PROVED 4 


Totals: 35 proofs, 35 attempted, 35 succeeded, 410 seconds. 
Proof summary for module to_gc_hw 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module to_RS_maj .model 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module rcp_defs_imp_to_liw 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 


Proof summary for module minimally 

p_cell_fn_TCCl PROVED 0 

p_f _v_ax_TCC 1 PROVED 1 

Totals: 2 proofs, 2 attempted, 2 succeeded, 1 seconds. 


Proof summary for module DS.lemmas 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 
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Proof summary for module algor ithm.mapalgorithm 
Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 


Proof summary for module lemmaB 

raarrang«2_proof PROVED 

lenunaBproof PROVED 

Totals: 2 proofs, 2 attempted, 2 succeeded, 3 seconds. 

Proof summary for module lemma2 

lemma2_proof PROVED 

lemma2a_proof PROVED 

lemma2b_proof PROVED 

lemma2c_proof PROVED 

lemma2d_proof PROVED 

lemma2e_proof • PROVED 

Totals: 6 proofs, 6 attempted, 6 succeeded, 28 seconds. 


Proof summary for module RS.to.US 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module maj_hw_to_maj_hw .model 
Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 


Proof summary for module minimal_hw_prf 2 

p.Fsl 

p_Fsl_TCCl 

p_Fs2 

p_Fs2_TCCl 

p_Fs3_TCCl 

p_Fs3_TCC2 

p_Fs3 

p_f _s_lem 

p_f _s_lem_cntrl 

Totals: 9 proofs, 9 attempted, 9 succeeded, 20 seconds. 

Proof summary for module minimal _hw_prf 


p_fc.lem_.a_0 PROVED 

p_f PROVED 

p well founded PROVED 

p_fc_lem_a PROVED 

p_f PROVED 

p_f c_lem_b_s PROVED 

p_f PROVED 

p_cell_of _MB_lem PROVED 

p.cell.of _MB_lem_2 PROVED 

p.cell.of _MB_map_lem_TCCl PROVED 

p.cell.of _MB_map_lem PROVED 

p_p_cell_of _MB_map_lem_TCC2 PROVED 

P-P-Cell_of _MB_map_lem_TCC3 PROVED 


Totals: 13 proofs, 13 attempted, 13 succeeded, 328 seconds. 

Proof summary for module frame_funs_to_gc_hw 
Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 
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Proof summary for modulo to.minimal.hv 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 


Proof summary for module RS_maj or it y_to_RS_maj_ model 
Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module rcp_daf s_imp_to_h.w_prf 


p_cells_ax PROVED 

p_caseO PROVED 

p_cO PROVED 

p.cOb.TCCl PROVED 

p.cOb PROVED 

p_cl_TCCl PROVED 

p_cl PROVED 

p_c2_TCCl PROVED 

p_c2 PROVED 

P_P-C2_TCC2 PROVED 

P-C3_TCC1 PROVED 

p_c3 PROVED 

p_c4 PROVED 

p.casel PROVED 

p«c7_TCCi PROVED 

p_c7 PROVED 

p_c8 PROVED 

p_case2 PROVED 

p.Casel PROVED 

p_Case2 PROVED 

p_write_cell_ax PROVED 

p.nmO PROVED 

p.nml PROVED 

p_nm2 PROVED 

p_nm3 PROVED 

p_null_memory_ax PROVED 

p_cebuf _ax > PROVED 

p_cell_state_reflexive. . PROVED 

p_cell_state_symmetric PROVED 

p_cell_state_transitive PROVED 

p_cs_length_congruence PROVED 

p_write_cell_congruence PROVED 

p_control_state_reflexive PROVED 

p_control_state_symmetric PROVED 

p_control_state_transitive PROVED 

p_f rame.congruence PROVED 


Totals: 36 proofs, 36 attempted, 36 succeeded, 272 seconds. 

Proof summary for module minimal_v_lemmas 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module to„minimal_v 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module DS_map_proof 
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p_map_l PROVED 

p.map.2 PROVED 

p map 3 PROVED 

plmap.4 PROVED 

p_map_6 PROVED 

P-»ap_T • * • PROVED 

Totals: 6 proofs, 6 attempted, 6 succeeded, 24 seconds. 

Proof summary for module DS_support_proof 

p.support.l PROVED 

p_support_4 PROVED 

p_support_5 PROVED 

p_support_6 PROVED 

p support_7 PROVED 

p_support_8 PROVED 

p_support_9 PROVED 

p_ support .10 PROVED 

p_support_ll PROVED 

P- support _12 PROVED 

p_support_14 PROVED 

p_ support _ PROVED 


Totals: 12 proofs, 12 attempted, 12 succeeded, 22 seconds. 


Proof summary for module DS_lemmas_prf 


p_f r_com_l PROVED 

p fr PROVED 

p_fc_A PROVED 

p_fc_B PROVED 

P-fc.A.la PROVED 

p_f c_A_lb PROVED 

p_fc_A_lc PROVED 

p_f c_A_ld PROVED 

p_f c_A_le PROVED 

p_f c_A_lf PROVED 

p_f c_A_2a PROVED 

p_fc_A_2b PROVED 

p_f c_A_2c PROVED 

p fc A_2d PROVED 

pIfcJL3a PROVED 

p_f c_A_3b PROVED 

p_f c_A_3c PROVED 

p_f c_A_3d PROVED 


Totals: 18 proofs, 18 attempted, 18 succeeded, 145 seconds. 


Proof summary for module RS.lemmas 


p_init ial_working PROVED 

p_init ial_maj _cond PROVED 

p_initial_maj PROVED 

p_ work ing_ set ..healthy PROVED 

p_consensus_prop PROVED 

p_maj_sent . PROVED 

p_rec_maj ..exists PROVED 

p_rec_maj _f _ PROVED 
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Totals: 8 proofs, 8 attempted, 8 succeeded, 36 seconds. 


Proof summary for module map_proofs 

AO PROVED 

Corr.zero.basis.proof PROVED 

Corr_zero_ind_proof PROVED 

Corr.zero.proof PROVED 

rt_is_T_proof PROVED 

goodclocks.prof PROVED 

all.nonf aulty.proof PROVED 

count .basis.proof PROVED 

count.ind.proof PROVED 

count .proof PROVED 

all.good.proof PROVED 

none.f aulty .proof PROVED 

A2 PROVED 

A2_aux PROVED 

CO PROVED 

Cl PROVED 

C2 PROVED 

C3 PROVED 

C4 PROVED 

C5 PROVED 

C6 PROVED 

C6.TCC1 PROVED 

C6_opt PROVED 

Totals: 23 proofs, 23 attempted, 23 succeeded, 296 seconds. 

Proof summary for module lemma3 

lemmaS.proof PROVED 

Totals: 1 proofs, 1 attempted, 1 succeeded, 6 seconds. 

Proof summary for module lemmal 

lemmai.proof PROVED 

Totals: 1 proofs, 1 attempted, 1 succeeded, 6 seconds. 

Proof summary for module lemma6 

sub 1 ..proof PROVED 

sub.A.proof PROVED 

sub2_proof * PROVED 

lemma6 .proof PROVED 

Totals: 4 proofs, 4 attempted, 4 succeeded, 13 seconds. 

Proof summary for module maj_hw_to_maj.hw.model.prf 

eq.ref lexive.k PROVED 

eq.symmetric.k PROVED 

eq.transit ive.k PROVED 

eq.ref lexive.t PROVED 

eq.symmetric.t PROVED 

eq_t rans it i ve_t PROVED 

k.maj.ax PROVED 

t.maj.ax PROVED 

t.ma j _len_ax PROVED 
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Totals: 9 proofs, 9 attempted, 9 succeeded, 134 seconds. 


Proof summary for module frame_funs.to.gc_hw.prf 

p.succ.cntr.ax 

p_pred_cntr_ar 



p.pred.succ.ax 

p_ sue c_ congruence 

p_pred_congruence 

Totals: 6 proofs, 6 attempted, 6 succeeded, 9 seconds. 


PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 


Proof summary for module gen_com_to_gc_hw 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 


Proof summary for module RS .major ity_to.RS_maj_model.prf 

eq.reflexive 

eq.symmetric 

eq.transitive * 

maj.ax 

Totals: 4 proofs, 4 attempted, 4 succeeded, 16 seconds. 


PROVED 

PROVED 

PROVED 

PROVED 


Proof summary for module generic.FT.to.minimal.v 
Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 


Proof s ummar y for module DS.to_RS.prf 

p_f rame. commutes 

p_ initial .maps 

Totals: 2 proofs, 2 attempted, 2 succeeded, 3 seconds. 


PROVED 

PROVED 


Proof s ummar y for module RS_invariants 


p.base.state.ind PROVED 

p_ind_state_ind PROVED 

p.state.induction PROVED 

p_ma j .working, inv.l 1 PROVED 

p_ma j .working. inv_12 PROVED 

p_ma j .work ing. in v PROVED 

p_state_rec_inv.il PROVED 

p_state_rec_inv_12 PROVED 

p.stat PROVED 

p.stat PROVED 

p.stat PROVED 


Totals: 12 proofs, 12 attempted, 12 succeeded, 44 seconds. 


Proof summary for module lemma4 


rearrange 2 .proof PROVED 

rearrange3_proof PROVED 

sublemmal.proof PROVED 

lemma2x_proof PROVED 

lemma4_proof PROVED 


Totals: 5 proofs, 5 attempted, 5 succeeded, 12 seconds. 


Proof s ummar y for module minimal. v_to_minimal_hw 
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Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds 


Proof summary for module gen_com_to_gc.hw.prf 


p_mem.eq_LEMi.TCCl PROVED 

p_mem_eq.LEMl_TCC2 PROVED 

p_mem.eq.LEMl PROVED 

p_p.mem.eq_LEMi.TCC3 PROVED 

p_mem.eq_LEM3 PROVED 

p_mem_eq_LEM4 PROVED 

p.memory.equal PROVED 

p.etll PROVED 

p_etl2 PROVED 

p.Is.et.lem.O PROVED 

p.etsl PROVED 

p_ets2 PROVED 

p_ets3 PROVED 

p.ets4 PROVED 

p.etsE PROVED 

p.ets6 PROVED 

p.Is.et.lem.s PROVED 

p_Is.et.lem PROVED 

p.etO PROVED 

p.eti PROVED 

p_et2 PROVED 

p.et3 PROVED 

p_exec.task.ax PROVED 

p_exec.task.ax_2 PROVED 


Totals: 24 proofs, 24 attempted, 24 succeeded, 131 seconds. 

Proof summary for module maj.funs.to.minimal.hw 
Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 
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Proof summary for module minimal.v.prf.4 

ponv.base 

ponv.ind.l 

ponv_ind_2 

ponv.ind.3 

ponv.ind 

path.outputs.not^voted 

pcnv.base 

pcnv.ind.l 

pcnv_ind_2 

pcnv_ind_3 

pcnv.ind. 

path.cells.not .voted 

lcnv.base 

lcnv.ind.l 

lcnv_ind_2 

lcnv.ind.3 

lcnv.ind 

last.cell.not .voted 

lcc.base 

lcc.ind.l 
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..PROVED 

6 

seconds 

.PROVED 

36 

seconds 

..PROVED 

10 

seconds 

. .PROVED 

8 

seconds 

. .PROVED 

11 

seconds 

. .PROVED 

10 

seconds 

. .PROVED 

6 

seconds 

. .PROVED 

46 

seconds 

. .PROVED 

5 

seconds 

. .PROVED 

9 

seconds 

. .PROVED 

6 

seconds 

. .PROVED 

10 

seconds 

..PROVED 

6 

seconds 


e-2. 
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lcc.ind_2 PROVED 

lcc.ind_3 PROVED 

lcc.ind PROVED 

last.cell.condition. PROVED 

ncc.base PROVED 

ncc.ind.l PROVED 

ncc_ind_2 PROVED 

ncc.ind.3 PROVED 

ncc.ind PROVED 

next.cell.condition PROVED 

between.lrames.sell PROVED 

between.lrames.prev PROVED 

between.lrames_prev_2 PROVED 

between.! rames_prev_3 PROVED 

between.! rames_prev_4 PROVED 

prev.between.lrames PROVED 

input .pat h.one • PROVED 

input .path.zero PROVED 

input .path, ext PROVED 

mod.minus.prev PROVED 

raod_minus.prev.max PROVED 

raod.rainus. nonzero PROVED 

prev_!r_distinct PROVED 

Totals: 43 prools, 43 attempted, 43 succeeded, 648 seconds. 


Prool su mmar y lor module minimal_v_prl_3 


long.path.cy clic PROVED 

cell.rec.path.acyclic PROVED 

pat h.l en.bound PROVED 

NF_cell_rec.bound_2 PROVED 

raax.path.l en.bound PROVED 

crpe.ind.l PROVED 

crpe.ind.2.1 PROVED 

crpe.ind_2.2 PROVED 

crpe.ind_2 **• PROVED 

crpe.ind_3 PROVED 

crpe.ind PROVED 

cell.r ec.path. exists PROVED 

crip.base PROVED 

crip ind.l PROVED 

crip.ind.2 ™0 VED 

crip.ind PROVED 

cell.r ec.input.path PROVED 

crbl.base. PROVED 

crbl.lem.2 PROVED 

crbl.ind.i PROVED 

PROVED 

PROVED 

PROVED 

crbl_lem_7 PROVED 

PROVED 

crbl.ind.2.1 PROVED 

crbl_ind_2_2 PROVED 


40 seconds 

7 seconds 
9 seconds 

12 seconds 

8 seconds 

10 seconds 
35 seconds 

11 seconds 

9 seconds 
7 seconds 

3 seconds 
58 seconds 
46 seconds 
17 seconds 
15 seconds 
61 seconds 

1 seconds 
1 seconds 
6 seconds 

12 seconds 

4 seconds 
1 seconds 
3 seconds 


2 seconds 

6 seconds 

1 seconds 

3 seconds 
3 seconds 

3 seconds 
60 seconds 
15 seconds 

2 seconds 
5 seconds 

5 seconds 

7 seconds 
35 seconds 
41 seconds 

6 seconds 

4 seconds 

6 seconds 

7 seconds 
18 seconds 

5 seconds 
54 seconds 

6 seconds 

3 seconds 
3 seconds 
2 seconds 

23 seconds 

8 seconds 
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crbl.ind_2 PROVED 3 

crbl.lem.3 PROVED 2 

crbl_ind_3 PROVED 5 

crbl.ind PROVED 9 

crbl.lem.l PROVED i 

IF.cell.r ec.bound. 1 PROVED 8 

Totals: 33 proofs, 33 attempted, 33 succeeded, 361 seconds. 

Proof summary for module minimal. v.prf .2 

bncr .bas e PROVED 4 

bncr _ ind. 1 PROVED 3 

bncr . ind_2 PROVED 1 1 

bncr_ind_3 PROVED 3 

bncr. ind PROVED 6 

bound.MF.cell.rec PROVED 3 

bcrp.bas e PROVED 9 

bcrp_ ind. 1 PROVED 5 

bcrp_ ind_2 PROVED 25 

bcrp_ ind.3 PROVED 4 

bcrp. ind PROVED 8 

bound.cell.rec.path, PhOVED 6 

full.rec.base PROVED 0 

f ull.r ec. ind PROVED 5 

full.rec PROVED 3 

f ull.rec.rp PROVED 12 

nf.cra.base PROVED 5 

nf.crn.ind PROVED 15 

HF.cell.rec.nonzero PROVED 3 

nf .v.sched PROVED 20 

IF.rec.set .nonempty PROVED 2 

IF.cell.rec.exists PROVED 1 

nf .crr.bas e PROVED 1 

nf.crr.ind.l PROVED 10T 

nf.crr.ind.2 PROVED 42 

nf .crr.ind.3 / PROVED 10 

nf .crr.ind '. PROVED 3 

MF.cell.rec.recv PROVED 3 

mr f _nat .hack PROVED 1 

max.rec.f rames.nonzero PROVED 1 

max.all.rec.set.nonzero PROVED 5 

recovery .per iod.min PROVED 1 

Totals: 32 proofs, 32 attempted, 32 succeeded, 327 seconds. 

Proof summary for module RS.to.US.prf 

p.f rame.commutes PROVED 1 

p.initial.maps PROVED 2 

Totals: 2 proofs, 2 attempted, 2 succeeded, 3 seconds. 

Proof summary for module lemma4.opt 

lemma4_s elf .proof PROVED 22 

lemma4.others .proof PROVED 6 


Totals: 2 proofs, 2 attempted, 2 succeeded, 28 seconds. 


seconds 

seconds 

seconds 

seconds 

seconds 

seconds 


seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 


seconds 

seconds 


seconds 

seconds 
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Proof summary for module summations. alt 


rt 11 »n 

PROVED 

2 

seconds 

n 1 1 j* 1 

PROVED 

34 

seconds 


PROVED 

4 

seconds 

n, 1 IWl 

PROVED 

29 

seconds 

n 11K1 

PROVED 

69 

seconds 

n 11h 

PROVED 

4 

seconds 


PROVED 

6 

seconds 

r\ 10t%1 

PROVED 

8 

seconds 

r\ lOrkA 

PROVED 

81 

seconds 

n 1 

PROVED 

87 

seconds 

r\ 1 On 

PROVED 

10 

seconds 

1 0 nrftrtf 

PROVED 

17 

seconds 

-f mil tw nrftrtf 

PROVED 

4 

seconds 

DUVUiU_ J. aui w j — 

1 2r\fi orsTnn'f 

PROVED 

1 

seconds 

1 ^ 

PROVED 

267 

seconds 

CO nnr TkTrtrtf 

PROVED 

1 

seconds 

OZ.pqi.flUWl 

K/mi v . A tv nrrtrtf 

PROVED 

7 

seconds 

<1111 v j wwi 

1 A a ^ .................... 

PROVED 

393 

seconds 

1 Aanrftnf 

PROVED 

12 

seconds 

1 C 

PROVED 

26 

seconds 

culm oroof 

PROVED 

6 

seconds 


Totals : 21 proofs, 21 attempted, 21 succeeded, 1068 seconds. 
Proof s ummar y for module to_minimal_hw_prf _2 


p cic PROVED 10 seconds 

p~cic4E PROVED 6 seconds 

p cic4F PROVED 5 seconds 

p"cic4D PROVED 8 seconds 

p~cic4C PROVED 3 seconds 

pIcic4B_TCCl PROVED 1 seconds 

p~cic4B7 PROVED 5 seconds 

plcs_eq_need PROVED 1 seconds 

n rir o PROVED 14 seconds 


Totals: 9 proofs, 9 attempted, 9 succeeded, 52 seconds. 

Proof s ummar y for module maj_funs_to_minimal_hw_prf 

p_k_maj_ax 

p_t_maj_ax 

p_t_maj_len_ax 

Totals: 3 proofs, 3 attempted, 3 succeeded, 7 seconds. 


Proof summary for module minimal_v_prf 



PROVED 

0 

seconds 

n fliirr at 

PROVED 

0 

seconds 


PROVED 

1 

seconds 


PROVED 

0 

seconds 


PROVED 

1 

seconds 

n -full rflrnvflTV 

PROVED 

1 

seconds 

r» initial rarovarv 

PROVED 

1 

seconds 

n r\ an rflrnvflrv 

PROVED 

3 

seconds 

n r Antr/il nvflTflrf 

PROVED 

2 

seconds 

p_cell_recovered 

PROVED 

24 

seconds 


PROVED 1 seconds 
PROVED 5 seconds 
PROVED 1 seconds 
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p.vote.ma j PROVED 17 

P-.cae.base PROVED 2 

p_cae_ind_l .PROVED 6 

p_cae_ind_2 PROVED 14 

p.cell.apply.element PROVED 6 

p.f .v.components PROVED 2 

p.p.f _v_ component s.TCCl . PROVED 0 

p_f -C_uncomputed_cells PROVED 1 

p_exec_element_2 PROVED 6 

p_ ex ec_ calls .match PROVED 50 

p_cil_ind_ll PROVED 15 

p_cil_ind_12 PROVED 6 

p_cil_ind_13 PROVED 1 

p.cil.ind PROVED 7 

p.f _c.cells.mat ch PROVED 1 1 

p_cell.input_frame.lem PROVED 14 

rec.set.equal.l PROVED 6 

rec_set_equal_2 PROVED 6 

rec.set.equal PROVED 7 

IF.cell.rec.equiv PROVED 1 

Totals: 30 proofs, 30 attempted, 30 succeeded, 211 seconds. 

Proof summary for module summations.opt 

only _2_basis_pr oof PROVED 13 

pr oc_ index.prop.pr oof PROVED 4 

only_2_ind_proof PROVED 84 

only_2_gen_proof PROVED 115 

only_2_proof PROVED 3 

bound.nonf aulty.self .proof . PROVED 6 

p_14se2 PROVED 225 

14self .proof PROVED 16 

except_2_proof PROVED 8 

bound.nonf aulty.others.proof PROVED 5 

p_14otl PROVED 147 

14others_proof : . PROVED 23 

helper.proof PROVED 0 

14all.proof PROVED 24 

14a_opt .proof PROVED 9 

15-opt .proof PROVED 18 

culminat ion.opt .proof PROVED 5 

Totals: 17 proofs, 17 attempted, 17 succeeded, 705 seconds. 

Proof summary for module minimal.v.to.minimal.hw.prf 

p.cell.input. constraint PROVED 9 

p_f _s.control.ax PROVED 0 

p.LEMl.TCCl PROVED 1 

P.LEH1.TCC2 PROVED 2 

p.LEMl PROVED 5 

P.LEM2.TCC1 PROVED 1 

p.LEM2.TCC2 PROVED 1 

p.LEM2 PROVED 3 

p_LEM3 PROVED 3 

P.LEM3.TCC1 PROVED 2 


seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 


seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 


seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 
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p_LEM4 PROVED 

p_LEM5 PROVED 

p LEMS PROVED 

p_f_s_ax PROVED 

p_cell_f n_TCC 1 PROVED 

p_f_v_TCC 1 PROVED 

p_cell_apply_MAP_EQ PROVED 

p_l_v_ax PROVED 

p_i_v_ax_TCC 1 PROVED 

Totals: 19 pro<rts, 19 attempted, 19 succeeded, 83 seconds. 

Proof summary for module main. opt 

basis.proof PROVED 

skew.SlC.proof PROVED 

ind.proof PROVED 

Theorem. l.opt .proof PROVED 

Totals: 4 proofs, 4 attempted, 4 succeeded, 17 seconds. 

Proof summary for module elk. interface 

p_sync.thm PROVED 

Totals: 1 proofs, 1 attempted, 1 succeeded, 2 seconds. 


Proof summary for module LE 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 
Proof summary for module DA.minv 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 


Proof summary for module elkprop 


^ a PROVED 


PROVED 

vs -f+O 

PROVED 

^ 

PROVED 


PROVED 

r» 

PROVED 

T\ 

PROVED 


PROVED 

« -f+a 

PROVED 

tn , 

PROVED 

« *f1*Q 

PROVED 


PROVED 

p ftlO 

•n *f«M 1 

PROVED 


PROVED 

p ftl2 

p GOAL 

PROVED 


Totals: 15 proofs, 15 attempted, 15 succeeded, 38 seconds. 


6 

3 

12 

30 

1 

1 

3 

0 

0 


3 

2 

12 

0 


2 


2 

10 

1 

3 

4 
2 
3 
3 
1 
1 
2 
1 
2 
1 


Proof summary for module DA 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 
Proof summary for module to.LE 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 
Proof summary for module to.DA.minv 


seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 


seconds 

seconds 

seconds 

seconds 


seconds 


seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 
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Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 
Proof summary for module DA.to.DS 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 


Proof summary for module DA.minv.to.LE 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module DA.to.DA.minv 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 

Proof summary for module DA. support 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 


Proof summary for module DA.lemmas 

Totals: 0 proofs, 0 attempted, 0 succeeded, 0 seconds. 
Proof summary for module DA.minv_to_LE.prf 


p.broadcast .duration PROVED 

p.broadcast _duration2 PROVED 

p_all_durations PROVED 

p.pos.durat ions PROVED 


Totals: 4 proofs, 4 attempted, 4 succeeded, 2 seconds. 


Proof summary for module DA_to.DA.minv.prf 


p.broadcast.duration PROVED 

p.broadcast.durat ion2 PROVED 

p.all.durat ions PROVED 

p_pos_durations : PROVED 


Totals: 4 proofs, 4 attempted, 4 succeeded, 3 seconds. 


Proof summary for module DA.br oadcast.prf 

p.brl 

p.brla 

p_br2 r 

p_br3_aa 

p_br3 

p_br4 

p.brB 

p_br6 

p_br7 

p_br8 

p_br9 

p.rtpOa 

p.rtpO 

p.rtpi 

p_rtp2 

p_rtp3 

p_rtp4a 

p_rtp4b 

p_rtp4 

p.rtpB 

p_rtp6 


PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 

PROVED 


1 

0 

1 

0 


1 

i 

0 

1 


8 

4 
8 
3 

14 

16 

13 
3 

14 

5 
3 
1 
1 
5 
2 
3 
2 
1 
3 
7 
2 


seconds 

seconds 

seconds 

seconds 


seconds 

seconds 

seconds 

seconds 


seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 
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p_rtp7 

p_com_broadcast_5 

p_br_int 

p_intO 

p.intla 

p_intl 

p_int2a 

p_int2 

p_int3 

p_int4 

p_int5 

Totals: 32 proofs, 32 attempted, 32 succeeded, 

Proof summary for module DA_support_prf 

p_support_l 

p_ support _4 

p_support_5 

p_support_14 

p_s!15_base 

p_sll5_ind 

p_support_15 

p_support_16 

p.map_l 

p_map_2 

p_map_3 

p«®ap_4 

p_map_7 

p_base_state_ind 

p_ind_state_ind * 

p_state_ induction 

p_enough_inv_ll 

p_enough_inv_12 

p_ enough. in v 

p_nfclk_inv.ll 

p_nf clk_inv_12 : 

p_nf clk.inv 

p_lclock_inv_12b 

p_lclock_inv_12c 

p_lclock_inv_ll 

p_lclock_inv_12 

p_lclock_inv_13 

p_lclock_inv_14 

p_lclock_inv 

p_clkval_inv_ll 

p_clkval_inv_12 

p_clkval_inv 

p_rtll 

p_da_rt_lem 

p_cum_delta_inv_ll 

p_cdi_12a 

p_cum_delta_inv_12 

p_cum_delta_inv_14 

p_cum_delta_inv 


PROVED 

3 

PROVED 

2 

PROVED 

10 

PROVED 

3 

PROVED 

0 

PROVED 

9 

PROVED 

1 

PROVED 

9 

PROVED 

1 

PROVED 

1 

PROVED 

,s. 

1 


PROVED 

3 

PROVED 

2 

PROVED 

3 

PROVED 

0 

PROVED 

2 

PROVED 

13 

PROVED 

1 

PROVED 

30 

PROVED 

2 

PROVED 

0 

PROVED 

1 

PROVED 

1 

PROVED 

13 

PROVED 

1 

PROVED 

2 

PROVED 

8 

PROVED 

0 

PROVED 

2 

PROVED 

2 

PROVED 

2 

PROVED 

16 

PROVED 

1 

PROVED 

14 

PROVED 

1 

PROVED 

4 

PROVED 

15 

PROVED 

3 

PROVED 

3 

PROVED 

4 

PROVED 

2 

PROVED 

22 

PROVED 

2 

PROVED 

2 

PROVED 

1 

PROVED 

2 

PROVED 

1 

PROVED 

12 

PROVED 

8 

PROVED 

4 


seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 


seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 

seconds 
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Totals : 39 proofs, 39 attempted, 39 succeeded, 205 seconds. 


Proof summary for module DA_lemmas_prf 

p phase PROVED 

pIphase_com_lxl ™>VED 

p.phas e_ c om_l PROVED 

p_phase_com_lx4 PROVED 

p_phase_com_lx7 PROVED 

P _phase_com_broadcast PROVED 

p_com_broadcast_l PROVED 

p_com_broadcast_2 PROVED 

p_com_broadcast_3 PROVED 

PROVED 

p earliest.later.time PROVED 

plelt.a PR0VED 

P “VED 

p phase_com_vote * PROVED 

. - . PROVED 

p_com_vote_l rivuvnu 

^ « . . PROVED 

p_com_vote_2 * 

p_com_vote_3 PROVED 

p com_vote_4 PROVED 

p phase_com_sync 

« «xmr 1 PROVED 

p_com_sync_i 

PROVED 

p com_sync_2 r 

1 _ , , PROVED 

* PROVED 

p_com_sync_4 

Totals: 23 proofs, 23 attempted, 23 succeeded, 61 seconds. 

Proof summary for module le_top 

p.dummy PROVED 

Totals: i proofs, 1 attempted, 1 succeeded, 17 seconds. 


Proof summary for module DA_to_DS_prf 

p phase commutes PROVED 

plinitial_maps > PR0VED 

Totals: 2 proofs, 2 attempted, 2 succeeded, 3 seconds. 

Proof s ummar y for module top 

p_RS_frame_commutes PROVED 

p_RS_ initial _map PROVED 

p_DS_frame_commutes PROVED 

p_DS_initial_maps PROVED 

p_DA_phaae_commutes PROVED 

p DA_initial_maps PROVED 

p_dummy P*™* 0 

Totals: 7 proofs, 7 attempted, 7 succeeded, 6 seconds. 

Proof summary for module everything 

p.dumb PR0VED 


Totals: 1 proofs, 1 attempted, 1 succeeded, 0 seconds. 


2 

5 

3 

4 
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4 
2 
2 
2 
2 
2 
2 
2 
4 
1 
2 

6 
2 
2 


17 


Grand Totals: 859 proofs, 859 attempted, 859 succeeded, 7422 seconds. 
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seconds 

seconds 

seconds 
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seconds 
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seconds 
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seconds 

seconds 
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seconds 

seconds 
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B.3 All Module Obligation Status (amos) 

This report was reproduced by deleting entries for modules having no obligations. 

Obligation proof status for modules on using chain of module everything 


Obligation proof summary for module nat_types 

upto.TCCl proved 

upfrom_TCCl proved 

below proved 

above.TCCl proved 

Totals: 4 obligations, 4 proved, 0 unproved. 

Obligation proof summary for module interp_rcp 

processors.TCCi proved 

Totals: 1 obligations, 1 proved, 0 unproved. 

Obligation proof summary for module numeric.types 

posnum.TCCl proved 

nonnegnum.TCC 1 proved 

fraction.TCCl proved 

Totals: 3 obligations, 3 proved, 0 unproved. 


Obligation proof summary for module rcp_defs_i 

processors_TCCl proved 

Totals: 1 obligations, 1 proved, 0 unproved. 

Obligation proof summary for module memory_generic 

address_ty_TCCl proved 

address_range_ty_TCCi proved 

addr_len_ty_TCCl proved 

Totals: 3 obligations, 3 proved, 0 unproved. 

Obligation proof summary for module finite_sets 

f inite_set_TCCi proved 

Totals: 1 obligations, 1 proved, 0 unproved. 


Obligation proof summary for module absolutes 

abs_recip_TCCl proved 

Totals : 1 obligations, 1 proved, 0 unproved. 


Obligation proof summary for module rcp_defs_hw 


proved 

write_cell_TCCl proved 
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Totals: 2 obligations, 2 proved, 0 unproved. 


Obligation proof summary for module path.funs 

rec.set.TCCi proved 

IF_rec_set_TCCl proved 

path.len.set.TCCl proved 

all_rec_set_TCCl proved 

Totals: 4 obligations, 4 proved, 0 unproved. 

Obligation proof summary for module pro c„ induct ion 

proc.plus.TCCl proved 

Totals: 1 obligations, 1 proved, 0 unproved. 

Obligation proof summary for module maxf.to.maxf .model 

max _ ax proved 

Totals: 1 obligations, 1 proved, 0 unproved. 

Obligation proof summary for module recursive.maj 

eq.ref lexive proved 

eq.symmetric proved 

eq.transitive : proved 

Totals: 3 obligations, 3 proved, 0 unproved. 

Obligation proof summary for module mailbox.hw 

MBcell.TCCl proved 

Totals: 1 obligations, 1 proved, 0 unproved. 

Obligation proof summary for module time.maptime 

Cl proved 

Totals: 1 obligations, 1 proved, 0 unproved. 

Obligation proof summary for module algorithm 

C6.TCC1 proved 

Totals: 1 obligations, 1 proved, 0 unproved. 

Obligation proof summary for module juggle.opt 

rearrange.delta.opt.TCCl proved 

Totals: 1 obligations, 1 proved, 0 unproved. 
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Obligation prooi summary for module minimal_hw 

cell_of_MB_map_lem_TCCl proved 

f_s_mem_TCCl proved 

f_s_lem_TCCl proved 

f_s_lem_TCC2 proved 

proved 

f_v_TCCl proved 

Totals: 6 obligations, 6 proved, 0 unproved. 

Obligation proof summary for module rcp_def s_imp_to_hw 

cells.ax proved 

write_cell_ax proved 

null_memory_ar proved 

proved 

cell_state_reflexive proved 

cell_state_symmetric proved 

cell_state_transitive proved 

control_state_ref lexive proved 

control_state_symmetric proved 

control_state_transitive proved 

frame_congruence proved 

cs_length_congruence proved 

write_cell_congruence proved 

Totals: 13 obligations, 13 proved, 0 unproved. 

Obligation proof summary for module minimal_v 

cell_fn_TCCl proved 

f_v_ax_TCCl proved 

Totals: 2 obligations, 2 proved, 0 unproved. 

Obligation proof summary for module algorithm_mapalgorithm 

proved 

proved 

proved 

CO proved 

proved 

proved 

proved 

C6 proved 

proved 

C6_TCC1 proved 

C6_opt proved 

Totals: 11 obligations, 11 proved, 0 unproved. 


Obligation proof summary for module maj _hw_to_maj _hw_model 
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k.ma j _ax proved 

t _maj _ax proved 

t_maj_len_ax proved 

Totals: 3 obligations, 3 proved, 0 unproved. 

Obligation proof summary for module minimal .hw.prf 2 

Fsl.TCCl proved 

Fs2_TCCl proved 

Fs3_TCCi proved 

Fs3_TCC2 proved 

Totals: 4 obligations, 4 proved, 0 unproved. 

Obligation proof summary for module minimal .hw.prf 

p_cell_of.MB_map_lem.TCC2 proved 

p_cell_of _MB_map_lem_TCC3 proved 

Totals: 2 obligations, 2 proved, 0 unproved. 

Obligation proof summary for module frame_funs_to_gc_hv 

succ.cntr.ax proved 

pr ed_cntr_ax proved 

pred_succ_ax proved 

succ.congruence proved 

pred.congruence proved 

Totals: 5 obligations, 5 proved, 0 unproved. 

Obligation proof summary for module RS.maj or ity.to_RS.maj .model 

maj _ax * proved 

Totals: 1 obligations, 1 proved, 0 unproved. 

Obligation proof summary for module rcp.def s_imp.to_hw.prf 

cOb.TCCl proved 

ci.TCCi proved 

c2_TCCi proved 

p_c2_TCC2 1 proved 

c3_TCCl proved 

c7_TCCl proved 

Totals: 6 obligations, 6 proved, 0 unproved. 

Obligation proof summary for module gen_com_to_gc_hw 

memory, equal proved 

exec.t ask.ax proved 

exec_task_ax_2 proved 

Totals: 3 obligations, 3 proved, 0 unproved. 

Obligation proof summary for module generic.FT.to.minimal.v 

recovery.period.ax proved 

succ.ax proved 
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control.nc proved 

cells.nc P rov#d 

full.recovery proved 

initial.recovery proved 

proved 

component s .equal proved 

control.recovered proved 

cell recovered • proved 

vote.maj P roved 

Totals: 11 obligations, 11 proved, 0 unproved. 

Obligation proof summary for module minimal_v_to_min im a l _hw 
cell_apply_MAP_EQ proved 

P™" d 

f s control.ax proved 

f v ax P rov<d 

P roved 

cell_input_constraint proved 

Totals: 6 obligations, 6 proved, 0 improved. 

Obligation proof summary for module gen_com_to_gc_hw_prf 

mem_eq_LEM 1 _TCC 1 proved 

mem_eq_LEMl_TCC2 proved 

p_mem_eq_LEMl_TCC3 proved 

Totals: 3 obligations, 3 proved, 0 unproved. 

Obligation proof summary for module maj_funs_to_minimal_hw 

P rovad 

t P roved 

P roved 

Totals: 3 obligations, 3 proved, 0 unproved. 

Obligation proof summary for module to_minimal_hw_prf _2 

proved 

Totals: 1 obligations, 1 proved, 0 unproved. 

Obligation proof summary for module minimal_v_prf 

p_f_v_components_TCCl proved 

Totals: 1 obligations, 1 proved, 0 unproved. 

Obligation proof summary for module minimal. v_to_minimal_hw_prf 

proved 

proved 

LEM2.TCC1 proved 

LEM2.TCC2 proved 
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LEM3.TCC1 . proved 

Totals: 5 obligations, 5 proved, 0 unproved. 

Obligation proof summary for module DA.minv_to.LE 

broadens t.dur at ion proved 

broadcast.duration2 proved 

all.durations .proved 

pos.durations proved 

Totals: 4 obligations, 4 proved, 0 unproved. 

Obligation proof summary for module DA.to.DA.minv 

broadcast .duration . .proved 

broadcast.duration2 .proved 

all.durations proved 

pos.durations proved 

Totals: 4 obligations, 4 proved, 0 unproved. 


Grand Totals: 123 obligations, 123 proved, 0 unproved. 
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